Top 10 Open Source Forums – 12 Months of Vulnerabilities

A friend of mine asked me to recommend a secure open source PHP bulletin board (forum) . Having worked with PHPbb in the past, I remembered the large number of PHPbb security vulnerabilities which were reported every few months. I decided to take a look at today’s top 10 bulletin boards and see how many security vulnerabilities have been published in the last 12 months by Secunia.


For my test I chose

  • phpBB
  • YaBB
  • bbPress
  • Beehive
  • deluxeBB
  • iceBB
  • MyBB
  • Phorum
  • PunBB

The results show that PhPBB and MyBB still rule in the game of security vulnerabilities with 13 each (averaging one each month!) whilst BBPress and Beehive had no public vulnerability disclosure.

Vulnerabilities disclosed during May 2006 – May 2007

 
Bulletin Board
# Vulnerabilities.
1 BBPress 1
2 Beehive 1
3 IceBB 1
4 QuickSilver 1
5 YaBB 2
6 PunBB 3
7 Phorum 4
8 DeluxeBB 7
9 PHPbb 13
10 MyBB 13

I know that  more attention it gets, the more an application is prone to being picked on for vulnerabilities.  I will watch the comments on this top 10, but right now I would go for BBpress or Beehive :) 

Here are the complete results:

BBPress : BBpress XSS Vulnerability
Beehive :  Beehive Zero Vulnerabilities – Myth BUSTED

IceBB: 1

1 IceBB Avatar SQL Injection and PHP Code Execution 2007-03-27

QuickSilver : 1

1 Quicksilver Forums "set[include_path]" File Inclusion Vulnerability  2006-09-14

YaBB : 2

1 SuperMod "sourcedir" File Inclusion Vulnerabilities 2006-10-16
2 YaBB SE "user" SQL Injection Vulnerability 2006-06-23

PunBB : 3

1 PunBB "referer" and Category Name Vulnerabilities 2007-04-12
2 PunBB "language" Parameter Local File Inclusion 2006-10-31
3 PunBB "redirect_url" Cross-Site Scripting Vulnerability 2006-05-05


Phorum : 4

1 Phorum Multiple Vulnerabilities 2007-04-20
2 Phorum "admin.php" Cross-Site Scripting Vulnerability 2007-03-06
3 Phorum Cross-Site Scripting and Local File Inclusion 2006-07-14
4 Phorum Cross-Site Scripting Vulnerability 2006-06-27

DeluxeBB : 7

1 DeluxeBB "templatefolder" File Inclusion Vulnerability 2006-10-02
2 DeluxeBB pm.php Authentication Bypass Vulnerability 2006-08-08
3 DeluxeBB Multiple Vulnerabilities 2006-07-19
4 DeluxeBB Cross-Site Scripting and SQL Injection 2006-06-26
5 DeluxeBB SQL Injection and File Inclusion Vulnerabilities 2006-06-14
6 DeluxeBB Multiple File Extensions File Upload Vulnerability 2006-05-17
7 DeluxeBB "name" SQL Injection Vulnerability 2006-05-16

PHPbb :13

1 Phpbb Tweaked "phpbb_root_path" File Inclusion 2007-02-01
2 Virtual Path for phpBB "phpbb_root_path" File Inclusion 2007-01-26
3 phpBB privmsg.php Cross-Site Request Forgery and Cross-Site Scripting 2006-12-08
4 Fully Modded phpBB Multiple File Inclusion Vulnerabilities 2006-10-24
5 phpBB PlusXL "phpbb_root_path" File Inclusion Vulnerability 2006-10-16
6 phpBB Archive for Search Engines "phpbb_root_path" File Inclusion 2006-10-16
7 Dimension of phpBB "phpbb_root_path" File Inclusion Vulnerabilities 2006-10-06
8 phpBB "avatar_path" PHP Code Execution Vulnerability 2006-10-04
9 phpBB XS "phpbb_root_path" File Inclusion Vulnerability 2006-09-29
10 phpBB XS "phpbb_root_path" File Inclusion Vulnerability 2006-09-18
11 phpBB XS "phpbb_root_path" File Inclusion Vulnerabilities 2006-09-12
12 phpBB Premod Shadow "phpbb_root_path" File Inclusion 2006-09-07
13 phpBB "Upload Avatar from a URL" Weakness and PHP Code Execution 2006-05-16

MyBB: 13

1 MyBB "day" SQL Injection Vulnerability 2007-04-24
2 MyBB "Client-IP" SQL Injection and Code Execution 2007-04-04
3 MyBB private.php Cross-Site Request Forgery and Cross-Site Scripting 2007-01-25
4 MyBB Cross-Site Scripting Vulnerabilities 2006-09-18
5 MyBB Cross-Site Scripting and Script Insertion Vulnerabilities 2006-08-31
6 MyBB Avatar / Attachment Script Insertion Vulnerability 2006-08-28
7 MyBB "avatarurl" Script Insertion Vulnerability 2006-07-24
8 MyBB "CLIENT-IP" SQL Injection Vulnerability 2006-07-17
9 MyBB editpost.php Cross-Site Request Forgery 2006-06-29
10 MyBB Multiple Vulnerabilities 2006-06-29
11 MyBB "showcodebuttons" SQL Injection Vulnerability 2006-06-26
12 MyBB "domecode()" PHP Code Execution Vulnerability 2006-06-12
13 MyBB "do" Parameter Cross-Site Scripting Vulnerability 2006-06-08

 What open source forum would you recommend ? Are these numbers relevant ?



Thank you for reading this post. You can now Read Comments (19) or Leave A Trackback. Print This Post Print This Post

19 Responses to “Top 10 Open Source Forums – 12 Months of Vulnerabilities

  • 1
    Ory Segal
    May 31st, 2007 05:59

    Hello Dragos,

    Hold the press – from a 2 minutes review of BBPress (which in your research yielded 0 vulnerabilities), I can already tell you that the login page contains a XSS vulnerability. (I am talking about the latest version of BBPress here).

    Check out the source code of bb-login.php, and you’ll figure it out. (it’s exploitable).
    Bottom line, I haven’t seen a single BB app lately, that doesn’t contain any vulnerabilities :-)

    Hope this helps,
    -Ory Segal

  • 2
    Dragos Lungu
    June 1st, 2007 04:45

    Hi Ory,
    well, the list is based on secunia public vulnerabilities disclosures and I didn’t inted to go into 0 day exploits. Now that you made me curious , I looked into bb-login.php and I couldn’t find an exploitable XSS :(

    I’m posting the bb-login.php file :

    < ?php
    require('./bb-load.php');

    $ref = wp_get_referer();

    if ( 0 === strpos($ref, bb_get_option( 'uri' )) ) {
    $re = $_POST['re'] ? $_POST['re'] : $_GET['re'];
    if ( 0 !== strpos($re, bb_get_option( 'uri' )) )
    $re = $ref . $re;
    } else
    $re = bb_get_option('uri');

    nocache_headers();

    if ( isset( $_REQUEST['logout'] ) ) {
    bb_logout();
    wp_redirect( $re );
    exit;
    }

    if ( !bb_is_user_logged_in() && !$user = bb_login( @$_POST['user_login'], @$_POST['password'] ) ) {
    $user_exists = bb_user_exists( @$_POST['user_login'] );
    $user_login = user_sanitize ( @$_POST['user_login'] );
    $redirect_to = wp_specialchars( $re, 1 );
    bb_load_template( 'login.php', array('re', 'user_exists', 'user_login', 'redirect_to', 'ref') );
    exit;
    }

    wp_redirect( $re );
    ?>

    The user_sanitize function permits only a-z A-Z and 0-9 , so no luck with the username string.
    The $re parameter is appended to the current URL and although it seems an easy catch for a forceful redirect, the appended string starts with / which sucks .

    So please let me know which vulnerability have you spotted :) . Please email me (dragos@dragoslungu.com) or post it here and I will edit the post to reflect your findings.

    I would really appreciate .

  • 3
    Ory Segal
    June 3rd, 2007 06:55

    I’ve sent you an email, let me know what you make of it

  • 4
    BBpress XSS vulnerability | Dragos Lungu Dot Com
    June 7th, 2007 04:05

    […] Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS […]

  • 5
    Beehive Zero Vulnerabilities - Myth BUSTED | Dragos Lungu Dot Com
    June 10th, 2007 07:53

    […] gets all the credit for this one and, again, I updated the forum vulnerabilities post […]

  • 6
    dre
    June 10th, 2007 15:06

    OWASP runs vBulliten (this costs money btw), but then again – it also runs WordPress for blogs and MediaWiki for the main site and these aren’t exactly sure web applications.

    Andrew van der Stock (of OWASP fame) wrote his own secure forum software as well: http://www.ultimabb.com/

    PunBB, SMF (Simple Machines), and Vanilla also have very good reputations for free forum software.

    For web-anything, I normally suggest JSPWiki (or something very similar) fronted by mod_security. I’d like to see JSPWiki or something very similar re-written in HDIV Struts with proper use of Validator everywhere.

    The most important aspect is to keep your fourm software up-to-date, especially after known vulnerabilities are released into the public.

  • 7
    Dragos Lungu
    June 11th, 2007 07:43

    Thanks dre, I will test some of these apps pretty soon and I’ll post the results. As Ory pointed out, there are no “Zero vulnerability” applications out there; sometimes it’s just harder to find those bugs :)

  • 8
    » links for 2008-05-16 | Paul Cowles
    June 2nd, 2008 17:17

    […] Top 10 Open Source Forums – 12 Months of Vulnerabilities | Dragos Lungu Dot Com (tags: opensource forums) […]

  • 9
    dreamluverz
    May 6th, 2009 08:51

    Thanks for sharing. I’m looking for a good forum software to install and good thing you have this information. But seems like you don’t have SMF here?

  • 10
    TroyBC
    June 7th, 2009 09:06

    Mendota Heights
    USA
    What is the best ecommerce platform – shopping cart? …If you thinking osCommerce.
    I dont thing so, as you can see X-cart the most popular eCommerce platform.
    Just checked my WEBS:
    http://www.istockvanities.com/
    http://www.istocktile.com/
    http://www.istocklighting.com/
    http://www.istockfurniture.com/

    I’ll really appreciate for yours attention.

  • 11
    Runescape_hater
    June 21st, 2009 17:08

    Hey i just wanted to say hi to everyone.

  • 12
    lyndon
    July 12th, 2009 07:13

    thanx for the info.. still not have idea wat i will use forum app. but maybe i will use phbb or vbulletin.. wat u guess guys? thanx

  • 13
    BlueHornet
    July 17th, 2009 13:45

    This look interesting,so far.
    If there’s anyone else here, let me know.
    Oh, and yes I’m a real person LOL.

    Bye,

  • 14
    MichaellaS
    July 20th, 2009 08:49

    tks for the effort you put in here I appreciate it!

  • 15
    shuctinfith
    August 16th, 2009 09:06

    Hi,

    I am new to http://www.dragoslungu.com and just want to introduce myself.

    Thanks

  • 16
    HansDietrich
    November 9th, 2009 00:47

    Glückwunsch zum neuen Blog!

  • 17
    Dragos Lungu
    November 10th, 2009 02:17

    Danke ! :)

  • 18
    What Is Social Media and Why Do We Need It? | eWiiZone.com
    October 16th, 2010 00:13

    […] Dragos Lungu Dot Com – Security Tools and Tips […]

  • 19
    BlogofMissDisaster
    August 24th, 2012 01:45

    That's interesting, I didn't expect that the difference between PunBB and PHPBB will be this huge. Thank you for such an informative post and your researches!


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge