[filePro Updates] September 2006 News

Fairlight fairlite at fairlite.com
Thu Sep 28 06:33:49 PDT 2006


The honourable and venerable Walter Vaughan spoke thus:
> Lauren Kelly wrote:
>
> > The link for the filePro Forum should be: http://www.fptechforum.com
>
> Just a heads up with phpBB. Once (maybe twice) in the past I have had
> servers "oWn3d" because I didn't do the seemingly daily security updates
> and became a temporary host for ebay email scams.
>
> YMMV, but my experience was that it needed a lot of babysitting. I'm
> guessing that whomever put that up will keep up with the updates as they
> come. Hopefully there will me no more exploits.

Seems like phpBB shows up in every other SANS bulletin.  That may actually
be slight hyperbole, but not much.

Typically speaking, PHP seems to attract -the- least security-minded coders
out there.  If you watch the alerts, you have screens and screens every
week of XSS and SQL injection problems with PHP-based products.  You see a
perl or ASP product once in a blue moon.  It is my conclusion that there is
possibly a fundamental design flaw in PHP as a language that simply lends
itself to insecure practises.  It's nowhere near as mature as the other
languages available.

And phpBB -is- one of the worst offenders.  It's probably the most
frequently listed holed forum package, seconded by IkonBoard lately, if
memory serves.

But speaking of sites getting owned, after looking to see what powered
the new forum last night (praying it -wasn't- fPCGI, for their sake), I
checked their main site again.  They still have the fPCGI test pages set up
insecurely, where they could be DoS'd and have their entire license eaten
in seconds--to the point of manual intervention being necessary to reclaim
the seats, not to mention a race condition against the CPU in realtime
multiplied by however many seats the license has.  

However, interestingly, their demo software request page no longer uses
fPCGI; it used a custom CGI program from the look of it.

Which leads me to two points:

1) Their web server for the main site is already critically flawed, and
has remained so despite my repeated efforts to warn them of the hazards of
using fPCGI that way.  It's not like I haven't brought it up at least three
times prior to this.

2) If they don't even bother using fPCGI internally, why are they selling
it?  I guess this harkens back to the old days in '93 when I was up there
at SCC, and more than a few people can verify that back then they didn't
even use filePro internally to keep their records.  One has to wonder about
a product when the company which produced it won't even use it?  That's not
even my idea, I've had fP developers tell/ask me that from way back in the
old days.  I happen to agree with it, but it's not just me coming out of
nowhere with a zany idea to stir the pot--their own customers have wondered
about this for years.  And it looks like a repeat with their demo request
submission.  Call is speculation, but either they decided fPCGI wasn't
such a good idea, they aren't talking to filePro so they needed something
else, or they had -so- much money to burn that they decided to reinvent the
wheel--again.

At any rate, Walter is perfectly correct about phpBB.  I'd install and
use that over my dead body if I gave a damn about the system on which it
was running.  (It's amazing how they -keep- getting XSS and SQL injection
issues; why they can't write and -use- one global "sanitise()" function for
all user-derived data is beyond me.)

mark->


More information about the Filepro-list mailing list