Security of SMF compared to the other guys?

Gizbeat · February 11, 2013, 07:27:32 AM

I've read some posts by theme makers that their site got hacked and injected... I realize it can happen to anyone, but what is the general consensus regarding how secure SMF is. Has your SMF forum been hacked?

Kindred · February 11, 2013, 08:28:55 AM

SMF has one of the best security records of all forum softwares.
We release security patches as soon as a vector is identified and patched and our package manager system makes patching your own forum much simpler than some of the others.

The only hack that ever hit any of my forum sites came in through a different software (ZenPhoto)

Arantor · February 11, 2013, 11:13:40 AM

SMF itself is secure but there's an awful lot of bad practice attached to it, like making all your files writable by every process on the server in an attempt to install modifications.

Antechinus · February 11, 2013, 03:31:29 PM

Quote from: Gizbeat on February 11, 2013, 07:27:32 AMHas your SMF forum been hacked?

No.

Colin · February 11, 2013, 04:51:35 PM

No security issues ever for my forum either.

ARG01 · February 11, 2013, 08:16:24 PM

Quote from: Arantor on February 11, 2013, 11:13:40 AM
SMF itself is secure but there's an awful lot of bad practice attached to it, like making all your files writable by every process on the server in an attempt to install modifications.

I agree and this is why I insist on not using mods written by others. I also agree with the other comments as SMF seems to locate and repair or at least be aware of any possible risks before most software providers, including paid software.

Arantor · February 11, 2013, 08:23:42 PM

Not exactly. It isn't because of the mods that make it secure, nor is it because of the mod authors doing a bad job (on the contrary, mods that get published on the official site do get checked)

It is because you have to make everything writable, a problem I've been trying to find a way around for years.

I would also note that if anyone wants a comparison, I picked up an IPB licence in November, there have been at least 4 security patches since then just for IP.Board, not to mention vulnerabilities in other components like IP.Gallery. vBulletin is currently on its 28th (no, that's not a typo) beta version of vB 5...

ARG01 · February 11, 2013, 08:43:20 PM

Don't get me wrong. I have nothing personal against mods in general. I just don't like anything altering my files and/or permissions other than myself.

Arantor · February 11, 2013, 08:44:41 PM

This is why I've been pushing for a system that doesn't require changing either permissions or files in the first place...

Antechinus · February 11, 2013, 10:24:42 PM

Yebbut you can always 777 stuff to install a mod, then put it back to 644. Admittedly not totally n00b-proof, but hardly difficult either (assuming the user has some basic proficiency with FTP). So although it would certainly be nice to have it all handled automatically, personally I don't see it as a huge drawback.

Arantor · February 11, 2013, 10:25:23 PM

That's the problem... people *don't*. They get it working and leave it as it is because it 'works'.

Antechinus · February 11, 2013, 10:40:54 PM

Well it's not too bad as long as the host implements good server security, and as long as the admins are careful about securing their accounts and pooters.

If none of those things are taken care of, you're probably screwed anyway.

News:

Security of SMF compared to the other guys?