phpBB 2.0.13 security issues and phpBB's responses
If you have customers running phpBB 2.0.x, and know that there's a bunch of security issues outstanding for 2.0.13, well, don't hold your breath.
I've tried unsuccessfully to get phpBB to work with me to do a security review. This is my day job, and I help write the standard on the matter (owasp.org and my site greebo.net/owasp/). If a commercial organization wanted to pay for a thorough code review as I was offering, it'd be a $20-$30k USD job. Getting it donated for free at the "expense" of a couple of developers learning about how to check and then code securely is a major boon.
However, they initially deleted the first thread, and then they questioned my motives the entire time in the subsequent threads. No actual developers ever answered in the five day run of the two threads. I had a private offer from a user to assist.
My view is that phpBB:
a) don't want to learn more about security
b) don't want help to do security
c) will not fix anything but the forthcoming next release (which has been forthcomign for several years)
d) don't care about their users' data or their hoster's security
They have an incredibly poor attitude, which certainly didn't help my attitude when replying to their posts. If you find the thread on their forums (I can't link due to the number of posts I have), you'll see what I mean.
If you have phpBB users out there, consider transitioning them to anything else. phpBB will suffer more exploits sooner than later, and as they refuse to fix the issues and have not done any code reviews of the current or forthcoming release, it's your customers data at risk.
Andrew
ps. To declare openly, I help maintain XMB Xtreme, but I don't care if you use that or not. My offer to phpBB to do a code review was genuine as their code caused my host to be restored several times to recover from attacks
