From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/20100927/000312.html | 197 ++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 zarb-ml/mageia-dev/20100927/000312.html (limited to 'zarb-ml/mageia-dev/20100927/000312.html') diff --git a/zarb-ml/mageia-dev/20100927/000312.html b/zarb-ml/mageia-dev/20100927/000312.html new file mode 100644 index 000000000..60f8539b2 --- /dev/null +++ b/zarb-ml/mageia-dev/20100927/000312.html @@ -0,0 +1,197 @@ + + + + [Mageia-dev] A comparison of forum software from a security POV + + + + + + + + + +

[Mageia-dev] A comparison of forum software from a security POV

+ Maât + maat-ml at vilarem.net +
+ Mon Sep 27 17:28:11 CEST 2010 +

+
+ +
Le 27/09/2010 10:02, Romain d'Alverny a écrit :
+> Hi,
+>
+> On Mon, Sep 27, 2010 at 08:19, Tux99 <tux99-mga at uridium.org> wrote:
+>   
+>> I did a quick comparison of the most common forum software packages
+>> (both commercial and FOSS) from a vulnerability point of view.
+>>
+>> I'm subscribed to the well known (every sysadmin that takes his/her job
+>> seriously is subscribed to it) weekly SANS "@RISK: The Consensus
+>> Security Alert" newsletter since 2000, so I have an mbox archive file
+>> that contains almost 11 years worth of weekly alerts of software
+>> vulnerabilities.
+>>
+>> A quick an easy way that I have used before to assess the vulnerability
+>> of any software is to do a simple grep of the software name in this mbox
+>> file and count the times that software gets mentioned. While this is not
+>> 100% scientific it gives a good approximation of the amount of
+>> vulnerabilities a particular software has suffered from.
+>>     
+> Indeed. It's interesting. But ranking only by the disclosed number of
+> vulnerabilities in the past does not assess what will be in the
+> future. It's not enough.
+>
+> What would be an additional important figure is, how long has it been
+> for each vulnerability to be fixed; how many users each has had, etc.
+>
+> Plus, what type of vulnerability. Plus, for what branch of the
+> software (I guess, for instance, phpBB 2.x and 3.x are a bit
+> different).
+>   
+Hi,
+
+phpbb2 and phpbb3 share very few lines of code afaik
+
+And statistics are enough to explain :
+
+phpBB2: 38 advisories (27 vuln) 0% unpatched
+http://secunia.com/advisories/product/463/
+
+9% highly critical, 34% moderate, 49% low, 9% not
+
+phpBB2 is/was a well known security nightmare :o)
+
+----
+
+fudForum: 2 advisories (2 vuln) 0% unpatched
+http://secunia.com/advisories/product/5530/
+
+50% highly critical, 50% moderate
+
+The critical one allowing system access :o)
+
+----
+
+phpBB3: 4 advisories (5 vuln) 0% unpatched
+http://secunia.com/advisories/product/17998/
+
+0% highly critical, 25 % moderate, 75% low
+
+----
+
+I crearly consider phpBB3 not less secure than fudForum can be :)
+
+
+> What we do need is a forum that matches our needs; actually pretty
+> basic, but maybe for having good admin features, excellent
+> hackability, extensability, being well documented, having a nice
+> community of developers around it. And, provided we're in the free
+> software thing, we want to be able to share changes as well (would it
+> be only through our own community) without worrying.
+>
+> So, requirement #1: open source license (as in http://opensource.org/ ).
+>
+> [...]
+>
+> Romain
+>   
+when it comes to forum engine choice there are many things important to
+consider (in particular if we are optimistic enough to consider it could
+grow with Mageia future success).
+
+Security is one of them.
+
+If the forum is supposed to grow we must have something properly working
+under rather high load... than can involve a separate server for
+database (or even something stronger) that can also involve a forum
+engine that proved it's ability to survive high loads (and the biggest
+in http://www.big-boards.com runs phpBB3).
+
+Very *very* important if we want to be able to deal with trolls and
+forum users experience : we must have moderation needs being well
+addressed (global topic management with topics splitting and merging,
+easy messages management (editing, suppressing, moving... hiding ?),
+easy user management including things like temporary moderation of
+messages to calm down trolls and other useful thing like detection of
+multiple accounts creation, temporary or definitive banishment, ability
+to give extended rights to "special" people (dev, bug squad, doc
+writers, technical support...)
+
+If we want to provide a good user experience we must have something that
+provide a templating system easy to understand and to play with.
+
+Then there are administration features (bot management, forum structure,
+fine grained access control and tuning)
+
+And obviously hackability is important to allow things like SSO and
+other cool things (perhaps nice RSS features ? Mailing Lists connection
+? Button available to Technical support team and moderators allowing to
+send an alert on Cauldron list if a post can be interresting for devs ?
+Bugzilla connection ?)
+
+Something very secure that cannot do the job or that will make
+moderators life a hell and user experience a pain is not the ideal forum
+engine imho
+
+All this parameters (and others less important) need to be taken in
+account and the first people whom i would listen to are future
+administrators and moderators... because they will suffer with it every
+day... and beacause the quality of their work and attitude toward forum
+users will be the first thing likely to attract people and give a good
+reputation to Mageia community :)
+
+my2cents
+
+Maât
+
+
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: </pipermail/mageia-dev/attachments/20100927/e7007c74/attachment.html>
+
+ + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1