Sunday, March 11, 2007

Why phpBB might be insecure all time?

Mainly because

1) it's opensource; its source code is open to all curious eyes,thus searching flaws is easy in comparison to a expensive commercial vBulletin forum which doesn't provide its source codes and costs at least $160 per license.

2) it's prevalent and it's free, widely used by forum sites. This entices the attackers as they can exploit one site, they can do thousands of sites. The analogy is same to why hackers put target on the Windows system; cos it's widely used by today's PC users.

2) it has significant vulnerabilities according to different versions,thus the attacker will take advantage of version vulnerablities to crush your forum.


Countermeasures ::


As its source is open and can be freely modified,you should modify the codes to make it more secure.
No doubt,the customized phpBB package will decrease possible attacks cos many webmasters rely on default package installation up and running with no little effort.

What you need first to do is make your forum most up-to-date version.
If you're busy to check, sign up the free newsletter from www.phpbb.com , and they'll notify you when update is out.

Next thing,for example, check this phrase out :

Quote:

Powered by phpBB © 2001, 2002 phpBB Group



If the attacker would see this, he probably sayz "Oh your forum seems a little bit out of date. I'll prove you in a moment.".

This phrase also shows what forum versions range is being used in your site.

So remove this and leave just like

Quote:

Powered by phpBB © phpBB Group



Well,this gives no clue to the attacker about what forum version you're using.
Great! Each version can be exploited depending on its version-specific vulnerabilites.
Giving him no clue will make him try a dozen of malicious methods to attack to your forum.


Why wanting to attack ?


» Just to abuse of you and your members

» Just to defame your forum among underground communities; yeah they'll post your site in their
hacked pages or victim sites