Hosting YaBB SE is a risky business

Those of you hosting YaBB SE sites should be aware that YaBB SE is resouce intensive and has a significant number of security holes.
The YaBB SE organization has NOT fixed the security holes to date.
Exploits can take over an individual YaBB SE web site and the web host as well.
Part of the problem is in the default YaBB SE installation requires that ALL files and ALL directories be in a writable state. The other part is that the user authentication and administrator authentication apparently relies solely on one single validation check on login. Usernames and passwords are exposed by easily accessed cookies. Once a username is hijacked, administrator status is easily compromised and any type of file can be accepted for upload by anyone using the site. Once the file is on the web host, it can be executed -- exposing the entire web host to any exploit.
The security problems have been known by the development team for more than two months without resolution.
Still want to play russian roullette with your web host?

 

 

 

 

Top