I missed this one first time round.
Kgun, to answer the points in your first post.
1. You have not upgraded. You can answer that yourself, upgrades contain fixes for various bugs and security enhancements. No reason not to upgrade.
2. "PHP is not secure, use a BB written in another language." Rubbish, plain and simple, absolute rubbish.
The bad name that php has is due to how accessible it is for new programmers. People can jump straight into php without any prior programming background and as it is a typeless language there are many pitfalls for the unwary. Php in the hands of an experienced programmer coming from C, C++ who understands and adheres to casting practices then in my opinion with the release of php5 it has reached enterprise standard.
The majority of security flaws in php applications can be attributed to the above, a newbie starts with php, rattles out a few scripts that work but have no understanding of security measures well you cannot blame the language for that.
3. Yes it is possible to steal session ID's but if someone is running a packet sniffer on your IP then you have a lot more to worry about rather than someone gaining administrator priveledges to your forum. This type of activity is above most of the "script kiddie" brigade. It is not possible to place code on the server via javascript (provided the server administrator knows what they are doing) nor is it possible via phpbb, the only system call phpbb uses is an eval() in the templating system and I have not seen a variable passed to the templating engine that is unsanitized.
From what I read on your link you let some kid install the forum for you but then changed the password. When they had access there was nothing stopping them from uploading a host of scripts that could be used to place code on your server even after you changed ftp passwords.
The main problems with phpbb and security DO NOT come from the script itself but through add ons and hosting on a server where the administrator is clueless and has not hardened user permissions and disabled potentially harmful php settings. In that scenario most scripts are vulnerable.
As far as your follow up posts regarding
Quote:
This section scans all forum descriptions showing you the actual text, including the added information.
This scrip will scan for the following tags: <, >, <script, <javascript, script>, <iframe, <frame, iframe>, frame>, <embed, embed>
|
that is just down to a programmer having no understanding of when and how to use the htmlspecialchars() function.
There are many many large forums running phpbb and they don't get hacked (this is one) it is all down to the hosting environment and the competency level of the administrator. If the host has not secured folder permissions then there is nothing to stop another user on your server browsing to and reading your config.php to get you database connection information.
With the drop in prices of VPS technology to as little as $25 per month for a server capable of hosting 50 small sites there is no reason to stay with shared hosting. Get out of that environment and you will have less problems with any open source script.