any suggestions/pointers for relatively secure forum software?

seems like the dominant choice is vBulletin; apparently they did have a recent security issue (http://www.phpadvisory.com/advisories/view.phtml?ID=34) but likely every significant piece of software's going to have one or two. I'm a little wary of Phorum and PHPbb because they seem to have had a number of recent issues, but maybe everything's all cleaned up.

I'm thinking mostly of something that's PHP and MySQL/Postgres based, but am willing to hear about other things, too - it's not essential that it be free, but that never hurts either.

vBulletin has had its share of security issues, but they always have a patch out within 24 hours, and a new release within the week....

Since vB is a paid product they can afford to have companies do security aduits on their code.. And to update the exploitable code in good time...

I would agree that vB is probably the one where security issues are dealt with the best and possibly the one that spends more time and money looking into security. This generally means the product is more secure than the free alternatives, however I am not in a position to say whether it is or it isn't.

Originally posted by The Prohacker
Since vB is a paid product they can afford to have companies do security aduits on their code.. ..


Since Windows is a "paid product" Microsoft can afford to have companies do security audits on their code... blah... blah... blah...


Geesh... secure code is a state of mind, not an after-the-fact audit.

Originally posted by Mike the newbie



Since Windows is a "paid product" Microsoft can afford to have companies do security audits on their code... blah... blah... blah...


Geesh... secure code is a state of mind, not an after-the-fact audit.


There is a big differnce, MS won't give their code to a third party to look it over, it can afford to have its own staff to do that...

vB releases its code, so its open to many other exploits, but since its open, a 3rd party can easily view it, and find a hole that someone might have looked over...

If you've done any large projects, you'll understand that when you look at code for hours and hours, you might miss something, its sometimes nice to have someone else look over it....

I agree you have to think security when your writting, but when you do something large, your going to forget something...

BTW: in a ealier post today, MS opened a Win2k box to the public to have a go at it before it was final :D

Originally posted by The Prohacker



There is a big differnce, MS won't give their code to a third party to look it over, it can afford to have its own staff to do that...

vB releases its code, so its open to many other exploits, but since its open, a 3rd party can easily view it, and find a hole that someone might have looked over...

If you've done any large projects, you'll understand that when you look at code for hours and hours, you might miss something, its sometimes nice to have someone else look over it....

I agree you have to think security when your writting, but when you do something large, your going to forget something...

BTW: in a ealier post today, MS opened a Win2k box to the public to have a go at it before it was final :D


I agree with what you've said. I was commenting more on the "you pay for it so it should be more secure" aspect.

Originally posted by The Prohacker
...
BTW: in a ealier post today, MS opened a Win2k box to the public to have a go at it before it was final :D



I am more concerned that the EULA for the W2K SP3 effectively gives Microsoft the right to connect into my machine and disable software they deem that i should not be running.

Microsoft's foot in the door for DRM.

vBulletin had lots of security issues because its developers knew nothing about PHP. They were Visual Basic developers, and they wrote that software for their websites, then it turned out to be a good business.

If you take a look at the code, you will see what I mean. It could have been much more efficient and secure if it was coded by somebody that have really practiced writing large PHP applications before.

Take the templates code for example. Their way of implementing templates was really bad, by crafting a PHP expression from the template and running eval on it, where they could have (and should have) used a replace method. This alone was the reason for many security problems in their product.

Anyway, since version 2.2.0 (or so), they have been releasing lots of security fixes, after they have hired a security expert to help them audit the code.

I hope their product will get better as their experience get better, because it is still the most feature rich choice :)