Top 10 Open Source Forums – 12 Months of Vulnerabilities
A friend of mine asked me to recommend a secure open source PHP bulletin board (forum) . Having worked with PHPbb in the past, I remembered the large number of PHPbb security vulnerabilities which were reported every few months. I decided to take a look at today’s top 10 bulletin boards and see how many security vulnerabilities have been published in the last 12 months by Secunia.
For my test I chose
- phpBB
- YaBB
- bbPress
- Beehive
- deluxeBB
- iceBB
- MyBB
- Phorum
- PunBB
The results show that PhPBB and MyBB still rule in the game of security vulnerabilities with 13 each (averaging one each month!) whilst BBPress and Beehive had no public vulnerability disclosure.
Vulnerabilities disclosed during May 2006 – May 2007
|
Bulletin Board
|
# Vulnerabilities. | |
| 1 | BBPress | 1 |
| 2 | Beehive | 1 |
| 3 | IceBB | 1 |
| 4 | QuickSilver | 1 |
| 5 | YaBB | 2 |
| 6 | PunBB | 3 |
| 7 | Phorum | 4 |
| 8 | DeluxeBB | 7 |
| 9 | PHPbb | 13 |
| 10 | MyBB | 13 |
I know that more attention it gets, the more an application is prone to being picked on for vulnerabilities. I will watch the comments on this top 10, but right now I would go for BBpress or Beehive 
Here are the complete results:
BBPress : BBpress XSS Vulnerability
Beehive : Beehive Zero Vulnerabilities – Myth BUSTED
IceBB: 1
| 1 | IceBB Avatar SQL Injection and PHP Code Execution | 2007-03-27 |
QuickSilver : 1
| 1 | Quicksilver Forums "set[include_path]" File Inclusion Vulnerability | 2006-09-14 |
YaBB : 2
| 1 | SuperMod "sourcedir" File Inclusion Vulnerabilities | 2006-10-16 |
| 2 | YaBB SE "user" SQL Injection Vulnerability | 2006-06-23 |
PunBB : 3
| 1 | PunBB "referer" and Category Name Vulnerabilities | 2007-04-12 |
| 2 | PunBB "language" Parameter Local File Inclusion | 2006-10-31 |
| 3 | PunBB "redirect_url" Cross-Site Scripting Vulnerability | 2006-05-05 |
Phorum : 4
| 1 | Phorum Multiple Vulnerabilities | 2007-04-20 |
| 2 | Phorum "admin.php" Cross-Site Scripting Vulnerability | 2007-03-06 |
| 3 | Phorum Cross-Site Scripting and Local File Inclusion | 2006-07-14 |
| 4 | Phorum Cross-Site Scripting Vulnerability | 2006-06-27 |
DeluxeBB : 7
| 1 | DeluxeBB "templatefolder" File Inclusion Vulnerability | 2006-10-02 |
| 2 | DeluxeBB pm.php Authentication Bypass Vulnerability | 2006-08-08 |
| 3 | DeluxeBB Multiple Vulnerabilities | 2006-07-19 |
| 4 | DeluxeBB Cross-Site Scripting and SQL Injection | 2006-06-26 |
| 5 | DeluxeBB SQL Injection and File Inclusion Vulnerabilities | 2006-06-14 |
| 6 | DeluxeBB Multiple File Extensions File Upload Vulnerability | 2006-05-17 |
| 7 | DeluxeBB "name" SQL Injection Vulnerability | 2006-05-16 |
PHPbb :13
MyBB: 13
| 1 | MyBB "day" SQL Injection Vulnerability | 2007-04-24 |
| 2 | MyBB "Client-IP" SQL Injection and Code Execution | 2007-04-04 |
| 3 | MyBB private.php Cross-Site Request Forgery and Cross-Site Scripting | 2007-01-25 |
| 4 | MyBB Cross-Site Scripting Vulnerabilities | 2006-09-18 |
| 5 | MyBB Cross-Site Scripting and Script Insertion Vulnerabilities | 2006-08-31 |
| 6 | MyBB Avatar / Attachment Script Insertion Vulnerability | 2006-08-28 |
| 7 | MyBB "avatarurl" Script Insertion Vulnerability | 2006-07-24 |
| 8 | MyBB "CLIENT-IP" SQL Injection Vulnerability | 2006-07-17 |
| 9 | MyBB editpost.php Cross-Site Request Forgery | 2006-06-29 |
| 10 | MyBB Multiple Vulnerabilities | 2006-06-29 |
| 11 | MyBB "showcodebuttons" SQL Injection Vulnerability | 2006-06-26 |
| 12 | MyBB "domecode()" PHP Code Execution Vulnerability | 2006-06-12 |
| 13 | MyBB "do" Parameter Cross-Site Scripting Vulnerability | 2006-06-08 |
What open source forum would you recommend ? Are these numbers relevant ?
Thank you for reading this post. You can now Read Comments (18) or Leave A Trackback.
Print This Post
Post Info
This entry was posted on Wednesday, May 30th, 2007 . Tagged with:You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: E-Banking Web Application Security Presentation »
Next Post: Top 15 free SQL Injection Scanners by Security Hacks »
Read More
Related Reading:- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!
- My Twitter Notes on 2010-07-18
May 31st, 2007 05:59
Hello Dragos,
Hold the press – from a 2 minutes review of BBPress (which in your research yielded 0 vulnerabilities), I can already tell you that the login page contains a XSS vulnerability. (I am talking about the latest version of BBPress here).
Check out the source code of bb-login.php, and you’ll figure it out. (it’s exploitable).
Bottom line, I haven’t seen a single BB app lately, that doesn’t contain any vulnerabilities
Hope this helps,
-Ory Segal
June 1st, 2007 04:45
Hi Ory,
well, the list is based on secunia public vulnerabilities disclosures and I didn’t inted to go into 0 day exploits. Now that you made me curious , I looked into bb-login.php and I couldn’t find an exploitable XSS
I’m posting the bb-login.php file :
< ?php
require('./bb-load.php');
$ref = wp_get_referer();
if ( 0 === strpos($ref, bb_get_option( 'uri' )) ) {
$re = $_POST['re'] ? $_POST['re'] : $_GET['re'];
if ( 0 !== strpos($re, bb_get_option( 'uri' )) )
$re = $ref . $re;
} else
$re = bb_get_option('uri');
nocache_headers();
if ( isset( $_REQUEST['logout'] ) ) {
bb_logout();
wp_redirect( $re );
exit;
}
if ( !bb_is_user_logged_in() && !$user = bb_login( @$_POST['user_login'], @$_POST['password'] ) ) {
$user_exists = bb_user_exists( @$_POST['user_login'] );
$user_login = user_sanitize ( @$_POST['user_login'] );
$redirect_to = wp_specialchars( $re, 1 );
bb_load_template( 'login.php', array('re', 'user_exists', 'user_login', 'redirect_to', 'ref') );
exit;
}
wp_redirect( $re );
?>
The user_sanitize function permits only a-z A-Z and 0-9 , so no luck with the username string.
The $re parameter is appended to the current URL and although it seems an easy catch for a forceful redirect, the appended string starts with / which sucks .
So please let me know which vulnerability have you spotted
. Please email me (dragos@dragoslungu.com) or post it here and I will edit the post to reflect your findings.
I would really appreciate .
June 3rd, 2007 06:55
I’ve sent you an email, let me know what you make of it
June 7th, 2007 04:05
[...] Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS [...]
June 10th, 2007 07:53
[...] gets all the credit for this one and, again, I updated the forum vulnerabilities post [...]
June 10th, 2007 15:06
OWASP runs vBulliten (this costs money btw), but then again – it also runs WordPress for blogs and MediaWiki for the main site and these aren’t exactly sure web applications.
Andrew van der Stock (of OWASP fame) wrote his own secure forum software as well: http://www.ultimabb.com/
PunBB, SMF (Simple Machines), and Vanilla also have very good reputations for free forum software.
For web-anything, I normally suggest JSPWiki (or something very similar) fronted by mod_security. I’d like to see JSPWiki or something very similar re-written in HDIV Struts with proper use of Validator everywhere.
The most important aspect is to keep your fourm software up-to-date, especially after known vulnerabilities are released into the public.
June 11th, 2007 07:43
Thanks dre, I will test some of these apps pretty soon and I’ll post the results. As Ory pointed out, there are no “Zero vulnerability” applications out there; sometimes it’s just harder to find those bugs
June 2nd, 2008 17:17
[...] Top 10 Open Source Forums – 12 Months of Vulnerabilities | Dragos Lungu Dot Com (tags: opensource forums) [...]
May 6th, 2009 08:51
Thanks for sharing. I’m looking for a good forum software to install and good thing you have this information. But seems like you don’t have SMF here?
June 7th, 2009 09:06
Mendota Heights
USA
What is the best ecommerce platform – shopping cart? …If you thinking osCommerce.
I dont thing so, as you can see X-cart the most popular eCommerce platform.
Just checked my WEBS:
http://www.istockvanities.com/
http://www.istocktile.com/
http://www.istocklighting.com/
http://www.istockfurniture.com/
I’ll really appreciate for yours attention.
June 21st, 2009 17:08
Hey i just wanted to say hi to everyone.
July 12th, 2009 07:13
thanx for the info.. still not have idea wat i will use forum app. but maybe i will use phbb or vbulletin.. wat u guess guys? thanx
July 17th, 2009 13:45
This look interesting,so far.
If there’s anyone else here, let me know.
Oh, and yes I’m a real person LOL.
Bye,
July 20th, 2009 08:49
tks for the effort you put in here I appreciate it!
August 16th, 2009 09:06
Hi,
I am new to http://www.dragoslungu.com and just want to introduce myself.
Thanks
November 9th, 2009 00:47
Glückwunsch zum neuen Blog!
November 10th, 2009 02:17
Danke !
October 16th, 2010 00:13
[...] Dragos Lungu Dot Com – Security Tools and Tips [...]