Are you committed to security?

NC Software · **Are you committed to security? -** 16-05-2007, 12:26 PM

I see in the change log there is a XSS fix. If there is a security flaw in the software, why isn't a new stable release brought out immediately? vBulletin is a fine example of a company committed to security, if there is a potential for a XSS attack, a new version is immediately released.

craigbrass · 16-05-2007, 12:46 PM

This is a good point. Maybe Jamie can bring it to the attention of Varun.

A good idea would be to have a company like Gulftech (http://www.gulftech.org) audit the software and point out areas where security needs improving.

***Varun Shoor*** · 16-05-2007, 01:18 PM

Quote:

Originally Posted by NC Software

I see in the change log there is a XSS fix. If there is a security flaw in the software, why isn't a new stable release brought out immediately? vBulletin is a fine example of a company committed to security, if there is a potential for a XSS attack, a new version is immediately released.

Hi Neal,
We are definately serious about security and would have released a stable build immediately if it wasnt for the following two reasons:

1) The XSS vulnerabilities reported are from POST variables if I remember which is generally considered a low risk as the potential hacker needs to redirect the user using a form.

2) We were ready to release the stable but some delays in the Winapp builds have pushed it back. In fact, the PHP team has been waiting for the updated stable Winapps to mark the build as stable.

A new stable build should be out by this week approximately. Let me know if there is anything else.

Regards,

Varun Shoor

NC Software · 16-05-2007, 06:04 PM

As much spam hits my KB area comments boxes it does concern me! Maybe you can add CAPTCHA image requirements to comment submissions and that will help add another layer of security? Or give us the option (requested previously) of turning off "Add a Comment" to KB areas, etc. and we can prevent anyone from injecting into our sites via that approach. The best security is prevention first! Then handling the input second.

**Jamie Edwards** · 16-05-2007, 07:08 PM

Hi Neal,

The XSS flaw that has been fixed has nothing to do with automated comment posting.

Most robots that execute this spamming can also (usually) defeat most CAPTCHA effortlessly - computers can read better than people can, so this is not an end-all solution.

You may find this useful: Disabling comments and stopping comment spam

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

craigbrass Offline Senior Member Posts: 5,573 Join Date: Jun 2005 Location: Cumbria, UK	16-05-2007, 12:46 PM This is a good point. Maybe Jamie can bring it to the attention of Varun. A good idea would be to have a company like Gulftech (http://www.gulftech.org) audit the software and point out areas where security needs improving. Craig Brass - Kayako Forum Squatter (Note: I am NOT a staff member) Icon Headquarters - Its Elixir - Web2Messenger