After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.
This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do.� However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.
So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.
Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?