Exploit Vulnerablity Found in 2.0.18: you MUST disable HTML!

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
User avatar
Lumpy Burgertushie
Registered User
Posts: 67997
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

phonereviews wrote: Is it ok to use the BBCode mod to enable html only for admins???
HTML BBCode Mod


why do you need html? as was said, anything you want to do with html can be done with bbcode.

besides which, a post is not a web page. if you want to show someone something that belongs on a web page, then just create that web page and link to it in your post.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?
Andrew Kucienski
Registered User
Posts: 1050
Joined: Mon Oct 24, 2005 2:06 am
Location: Far far away!!!

Post by Andrew Kucienski »

I am sure that none of us will ever be asked to join a debate team….


clubchill, there are several fallacies (sp?) in your argument; I only want to point out a few...
clubchill wrote: I understand, and these are very good points. However... the point that phpBB misses in all of this, is that you have to design your software for "other" software.


It is my understanding that phpBB is designed around a "standard" not a software product. IE, Firefox, etc. are all supposed to follow some predefined industry standards (yes, every vendor adds their own flair to the chagrin of others). Now, if Microsoft's product cannot successfully do this, they are responsible for fixing it.
Do you suppose these companies like banks, and investment firms that run web-apps for their clients will allow a bad .jpg or a bad .txt or a bad .mp3 or .swf to be served to the browser and compromise their data.


This is like comparing welding to spaceflight. The purpose and function of a bulletin board is very different from the software that a bank or investment firm would run. And even if I am incorrect in this statement, have you read the news in the past year? How many of those fine U.S. institutions have had web hacks and exploits that have compromised data.
Because phpBB is designed with an "i-dont-care" attitude, and it shows in the number of vulnerabilities in this software.

phpBB development needs to take a full "Corporate" approach in their design, and treat this software as if though it were set up to guard a million dollars.


Did you know that the developers performed a major security audit that resulted in 2.0.18?
Have you even looked at http://area51.phpbb.com to see how the developers are looking into applying security to the next generation of phpbb?

Should I continue?

Please don’t make such sweeping statements.
Locked

Return to “2.0.x Support Forum”