1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] A comparison of forum software from a security POV
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20A%20comparison%20of%20forum%20software%20from%20a%20security%20POV&In-Reply-To=%3C4CA0B80B.9070702%40vilarem.net%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000297.html">
<LINK REL="Next" HREF="000320.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] A comparison of forum software from a security POV</H1>
<B>Maât</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20A%20comparison%20of%20forum%20software%20from%20a%20security%20POV&In-Reply-To=%3C4CA0B80B.9070702%40vilarem.net%3E"
TITLE="[Mageia-dev] A comparison of forum software from a security POV">maat-ml at vilarem.net
</A><BR>
<I>Mon Sep 27 17:28:11 CEST 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000297.html">[Mageia-dev] A comparison of forum software from a security POV
</A></li>
<LI>Next message: <A HREF="000320.html">[Mageia-dev] A comparison of forum software from a security POV
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#312">[ date ]</a>
<a href="thread.html#312">[ thread ]</a>
<a href="subject.html#312">[ subject ]</a>
<a href="author.html#312">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Le 27/09/2010 10:02, Romain d'Alverny a écrit :
><i> Hi,
</I>><i>
</I>><i> On Mon, Sep 27, 2010 at 08:19, Tux99 <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">tux99-mga at uridium.org</A>> wrote:
</I>><i>
</I>>><i> I did a quick comparison of the most common forum software packages
</I>>><i> (both commercial and FOSS) from a vulnerability point of view.
</I>>><i>
</I>>><i> I'm subscribed to the well known (every sysadmin that takes his/her job
</I>>><i> seriously is subscribed to it) weekly SANS "@RISK: The Consensus
</I>>><i> Security Alert" newsletter since 2000, so I have an mbox archive file
</I>>><i> that contains almost 11 years worth of weekly alerts of software
</I>>><i> vulnerabilities.
</I>>><i>
</I>>><i> A quick an easy way that I have used before to assess the vulnerability
</I>>><i> of any software is to do a simple grep of the software name in this mbox
</I>>><i> file and count the times that software gets mentioned. While this is not
</I>>><i> 100% scientific it gives a good approximation of the amount of
</I>>><i> vulnerabilities a particular software has suffered from.
</I>>><i>
</I>><i> Indeed. It's interesting. But ranking only by the disclosed number of
</I>><i> vulnerabilities in the past does not assess what will be in the
</I>><i> future. It's not enough.
</I>><i>
</I>><i> What would be an additional important figure is, how long has it been
</I>><i> for each vulnerability to be fixed; how many users each has had, etc.
</I>><i>
</I>><i> Plus, what type of vulnerability. Plus, for what branch of the
</I>><i> software (I guess, for instance, phpBB 2.x and 3.x are a bit
</I>><i> different).
</I>><i>
</I>Hi,
phpbb2 and phpbb3 share very few lines of code afaik
And statistics are enough to explain :
phpBB2: 38 advisories (27 vuln) 0% unpatched
<A HREF="http://secunia.com/advisories/product/463/">http://secunia.com/advisories/product/463/</A>
9% highly critical, 34% moderate, 49% low, 9% not
phpBB2 is/was a well known security nightmare :o)
----
fudForum: 2 advisories (2 vuln) 0% unpatched
<A HREF="http://secunia.com/advisories/product/5530/">http://secunia.com/advisories/product/5530/</A>
50% highly critical, 50% moderate
The critical one allowing system access :o)
----
phpBB3: 4 advisories (5 vuln) 0% unpatched
<A HREF="http://secunia.com/advisories/product/17998/">http://secunia.com/advisories/product/17998/</A>
0% highly critical, 25 % moderate, 75% low
----
I crearly consider phpBB3 not less secure than fudForum can be :)
><i> What we do need is a forum that matches our needs; actually pretty
</I>><i> basic, but maybe for having good admin features, excellent
</I>><i> hackability, extensability, being well documented, having a nice
</I>><i> community of developers around it. And, provided we're in the free
</I>><i> software thing, we want to be able to share changes as well (would it
</I>><i> be only through our own community) without worrying.
</I>><i>
</I>><i> So, requirement #1: open source license (as in <A HREF="http://opensource.org/">http://opensource.org/</A> ).
</I>><i>
</I>><i> [...]
</I>><i>
</I>><i> Romain
</I>><i>
</I>when it comes to forum engine choice there are many things important to
consider (in particular if we are optimistic enough to consider it could
grow with Mageia future success).
Security is one of them.
If the forum is supposed to grow we must have something properly working
under rather high load... than can involve a separate server for
database (or even something stronger) that can also involve a forum
engine that proved it's ability to survive high loads (and the biggest
in <A HREF="http://www.big-boards.com">http://www.big-boards.com</A> runs phpBB3).
Very *very* important if we want to be able to deal with trolls and
forum users experience : we must have moderation needs being well
addressed (global topic management with topics splitting and merging,
easy messages management (editing, suppressing, moving... hiding ?),
easy user management including things like temporary moderation of
messages to calm down trolls and other useful thing like detection of
multiple accounts creation, temporary or definitive banishment, ability
to give extended rights to "special" people (dev, bug squad, doc
writers, technical support...)
If we want to provide a good user experience we must have something that
provide a templating system easy to understand and to play with.
Then there are administration features (bot management, forum structure,
fine grained access control and tuning)
And obviously hackability is important to allow things like SSO and
other cool things (perhaps nice RSS features ? Mailing Lists connection
? Button available to Technical support team and moderators allowing to
send an alert on Cauldron list if a post can be interresting for devs ?
Bugzilla connection ?)
Something very secure that cannot do the job or that will make
moderators life a hell and user experience a pain is not the ideal forum
engine imho
All this parameters (and others less important) need to be taken in
account and the first people whom i would listen to are future
administrators and moderators... because they will suffer with it every
day... and beacause the quality of their work and attitude toward forum
users will be the first thing likely to attract people and give a good
reputation to Mageia community :)
my2cents
Maât
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-dev/attachments/20100927/e7007c74/attachment.html>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000297.html">[Mageia-dev] A comparison of forum software from a security POV
</A></li>
<LI>Next message: <A HREF="000320.html">[Mageia-dev] A comparison of forum software from a security POV
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#312">[ date ]</a>
<a href="thread.html#312">[ thread ]</a>
<a href="subject.html#312">[ subject ]</a>
<a href="author.html#312">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
