It was pointed out (again) recently on our forums that you guys use Phorum here on this site. In the interest of full disclosure I told the user that the maintainers of sla.ckers.org stated in the past that they are using a customized version of Phorum. The insinuation was that there were/are security issues with Phorum.

As far as I know, I never received a security advisory from anyone here. Were these issues ever made public? More importantly, do they exist in the current releases of Phorum? We take security seriously. We want to know about issues. We look for them ourselves, but often a developer can not see issues in what he writes.

Thanks for any feedback.

Brian Moon
Phorum Developer
http://www.phorum.org/

In May of 2007 a freshly registered member of sla.ckers posted an advisory concerning the ways usernames were interpreted upon signing up: http://sla.ckers.org/forum/read.php?1,11999,12023

Also apparently a possible SQL issue in private messages:
http://sla.ckers.org/forum/read.php?16,5035,5036


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Yeah, both of these are fixed long ago. Thanks.

if I remember right there was a persistent XSS shortly after we installed it, RSnake fixed it and audited a lot of the code, no idea what else he changed though. I think he informed the phorum of the XSS at the time.

I haven't updated the base software since ~2 years ago when we first installed it, so depending on how much has changed in phorum since then it may or may not have the same problems.

RSnake is traveling the next few days, I'm sure he'll update you when he gets a chance.

-id

Hi, Brian - yes, we diverged from your original code base quite a while ago when people started finding vulnerabilities in the site. I quickly patched and rebuilt sections of the code. I think it was approaching two years ago now that I did the bulk of the work. I ripped out sections of the code that were un-necessary and more importantly, tightened sections that were extremely vulnerable to exploitation. There are still some exploits in our version that I've done some things to curb, but ultimately, it's less likely to be a problem due to other mitigating controls I've put in place.

As to what I can and will disclose, I suggest you first read this post to get perspective on where we sit as an organization and the sheer quantity and danger of the threats we encounter: http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/

Due to this fact, there is no chance we will be sharing our security changes with anyone outside our organization going forward. I realize that might seem problematic or troubling to you given that it's your work, but it's not meant to be malicious. It's simply that I don't feel comfortable with evolving code bases which introduce more insecurities with time and I see how many attacks we get on a daily basis. It's just not worth it for us. I've had the same conversation with the Wordpress guys - we diverged our code base last year and made significant improvements over time. Those changes have saved us from at least a dozen zero day attacks. So there is a method to our madness. As a side note, I've been told they tout that we use Wordpress as part of their marketing now, from people I've talked to who have heard the pitch. So hey, maybe it's not a bad thing after all! Never you mind that their code has almost completely been re-written now with most of the functionality stripped out. Eesh!

I wish I could help you, but it would only hurt us in the long run. More importantly, in the same way I said I wouldn't be maintaining a secure version of Wordpress for others, the same is true with Phorum. See the comments of this post for that story: http://ha.ckers.org/blog/20070524/wordpress-vulns/ I really just don't have the time. Anyway, thanks for dropping by, Brian, sorry, I don't have better news for you.

- RSnake
Gotta love it. http://ha.ckers.org