UBB.Developers Forums General Discussion Chit Chat UBB Threads Security

hello everyone, before i begin with my post i just want to let everyone know right off that i'm a noob with this stuff so thanks for your patience. i am learning...slowly
I am looking at setting up a forum for my new website. As far as forum software is concerned i was thinking of using UBB Threads by Infopop. I have been playing with the demo software and I enjoy it alot. However i recently came across a security article that outlines how this software can be easily taken advantage of by the use of SQL hacking. Now i know the version of the software they review is outdated compared to the current version, but my question is...is it still possible to do something like the article outlines with the current UBBthreads software? the last thing i would want on my new forum is some mystery administrator or to have my database dumped . Anyways, thanks

That article talks about the perl version of wwwthreads and not about the current ubb.threads version. Security has been much improved during the years.
There's no known way to exploit ubb.threads at the moment. There has been some security fixes during but Infopop reacts very quickly if necessary.

I don't understand your last question, sorry.

I think it's very secure.

Yeah, that's not really an issue anymore.... First of all it's no longer written in Perl. And all the globals are registed at the top of every script... so you can't add variables into the URL of a script - as the top of every script goes through every variable that it uses right at the very top.

For example

// Get the input
$Cat = get_input("Cat","get");
$Baord = get_input("Board","get");
$Whatever = get_input("Whatever","post");
$FooMoo = get_input("FooMoo","both");


This will tell each script how it's allowed to accept variables. Either by get, or post, or both. If the variable is received from the wrong method... it ends up empty.

Dave_L is probably the best one to comment on security issues. He's really good at that.

awesome you have answered all my questions exactly

And all the globals are registed at the top of every script...

Not all of the modifications posted here do that, though, even recent ones. If you're concerned about security, be careful about adding mods.

so what is the difference between wwwthreads and ubbthreads? I am a member of the Futuremark.com Forums and i notice they use wwwthreads. i really like their layout and was hoping to have something similar. If it is different, is it the same or more/less secure than ubbthreads? Does it have more options as far as configurability go?

Prior to Infopo buying the product about 15 months ago, it was known as wwwthreads and was owned by Rick Baker, who today is still the man behind the code It was renamed ubbthreads to fit into the product line of Infopop.

so the version of wwwthreads that they have is exactly the same as the latest version of ubbthreads? it seems different because i'm not seeing the php at the top?

It would appear that futuremark is using the perl version of .threads but I am not sure what perl version. The perl version is no longer supported I believe. Hope that helps.

No, they use the perl version of wwwthreads. Rick ported the whole thing to php. As Ian said, Infopop buyed wwwthreads several months ago, renamed it to ubb.threads.
The old perl versions isn't maintained any more.

So with buying ubb.threads you get a advanced and brand new model of wwwthreads. Developed in php and not in perl. Many more feature, more secure, more reliable and easier to use.

No - the versions have come on a long way since the www days - I am guessing that they are running a 5.xx perl version.

so if their version is so old, i wonder why they havn't upgraded. does infopop offer free updates or do you have to pay extra?

More info:

http://www.infopop.com/order/ubbthreads/

And wwwthreads license holders pay a greatly reduced rate for upgrades.

Yep

Threads has come a long way, it's very secure and confident in itself, oh sure there was some low times, but it's self esteem is on the mend..