Advertisement:

Author Topic: Security of SMF compared to the other guys?  (Read 4437 times)

Offline Gizbeat

  • Newbie
  • *
  • Posts: 5
Security of SMF compared to the other guys?
« on: February 11, 2013, 07:27:32 AM »
I've read some posts by theme makers that their site got hacked and injected... I realize it can happen to anyone, but what is the general consensus regarding how secure SMF is. Has your SMF forum been hacked?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,337
  • Gender: Male
    • Kindred-999 on GitHub
Re: Security of SMF compared to the other guys?
« Reply #1 on: February 11, 2013, 08:28:55 AM »
SMF has one of the best security records of all forum softwares.
We release security patches as soon as a vector is identified and patched and our package manager system makes patching your own forum much simpler than some of the others.


The only hack that ever hit any of my forum sites came in through a different software (ZenPhoto)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,248
    • StoryBB/StoryBB on GitHub
Re: Security of SMF compared to the other guys?
« Reply #2 on: February 11, 2013, 11:13:40 AM »
SMF itself is secure but there's an awful lot of bad practice attached to it, like making all your files writable by every process on the server in an attempt to install modifications.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,321
  • Master of BBC Abuse
Re: Security of SMF compared to the other guys?
« Reply #3 on: February 11, 2013, 03:31:29 PM »

Offline Colin

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 7,874
  • Gender: Male
  • SMF Developer
    • colinschoen on GitHub
Re: Security of SMF compared to the other guys?
« Reply #4 on: February 11, 2013, 04:51:35 PM »
No security issues ever for my forum either.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Offline ARG01

  • SMF Hero
  • ******
  • Posts: 4,596
  • Dziner-Studio
    • Dziner-Studio
Re: Security of SMF compared to the other guys?
« Reply #5 on: February 11, 2013, 08:16:24 PM »
SMF itself is secure but there's an awful lot of bad practice attached to it, like making all your files writable by every process on the server in an attempt to install modifications.

I agree and this is why I insist on not using mods written by others. I also agree with the other comments as SMF seems to locate and repair or at least be aware of any possible risks before most software providers, including paid software.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,248
    • StoryBB/StoryBB on GitHub
Re: Security of SMF compared to the other guys?
« Reply #6 on: February 11, 2013, 08:23:42 PM »
Not exactly. It isn't because of the mods that make it secure, nor is it because of the mod authors doing a bad job (on the contrary, mods that get published on the official site do get checked)

It is because you have to make everything writable, a problem I've been trying to find a way around for years.

I would also note that if anyone wants a comparison, I picked up an IPB licence in November, there have been at least 4 security patches since then just for IP.Board, not to mention vulnerabilities in other components like IP.Gallery. vBulletin is currently on its 28th (no, that's not a typo) beta version of vB 5...
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline ARG01

  • SMF Hero
  • ******
  • Posts: 4,596
  • Dziner-Studio
    • Dziner-Studio
Re: Security of SMF compared to the other guys?
« Reply #7 on: February 11, 2013, 08:43:20 PM »
Don't get me wrong. I have nothing personal against mods in general. I just don't like anything altering my files and/or permissions other than myself.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,248
    • StoryBB/StoryBB on GitHub
Re: Security of SMF compared to the other guys?
« Reply #8 on: February 11, 2013, 08:44:41 PM »
This is why I've been pushing for a system that doesn't require changing either permissions or files in the first place... ;)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,321
  • Master of BBC Abuse
Re: Security of SMF compared to the other guys?
« Reply #9 on: February 11, 2013, 10:24:42 PM »
Yebbut you can always 777 stuff to install a mod, then put it back to 644. Admittedly not totally n00b-proof, but hardly difficult either (assuming the user has some basic proficiency with FTP). So although it would certainly be nice to have it all handled automatically, personally I don't see it as a huge drawback.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,248
    • StoryBB/StoryBB on GitHub
Re: Security of SMF compared to the other guys?
« Reply #10 on: February 11, 2013, 10:25:23 PM »
That's the problem... people *don't*. They get it working and leave it as it is because it 'works'.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,321
  • Master of BBC Abuse
Re: Security of SMF compared to the other guys?
« Reply #11 on: February 11, 2013, 10:40:54 PM »
Well it's not too bad as long as the host implements good server security, and as long as the admins are careful about securing their accounts and pooters.

If none of those things are taken care of, you're probably screwed anyway.