Announcement

#1 2023-12-03 04:59:17

Drift
Member
2023-11-06
4

Bug report?

Question. This website is using FluxBB as forum software. FluxBB is no longer supported and hasn't been from what I can tell and if that is the case, are there potential security issues with using this forum? Are there any plans to update, upgrade, etc to newer software?

Offline

 

#2 2023-12-03 10:34:29

executive
Member
2017-08-16
1214

Re: Bug report?

did you enter something that you're concerned about?
Just use a burner email account and a unique password there's no threat to you.

Offline

 

#3 2023-12-03 22:03:19

Drift
Member
2023-11-06
4

Re: Bug report?

executive wrote:

did you enter something that you're concerned about?
Just use a burner email account and a unique password there's no threat to you.

No, nothing I am concerned about at this point but I do like to keep my own things up to date. My email is fine and secure with a high level random password. I just know over time older software thats gone unpatched can lead to issues. Just a question I was curious about.

Thank you.

Offline

 

#4 2023-12-04 05:13:06

executive
Member
2017-08-16
1214

Re: Bug report?

what kind of issues? I don't understand.

Offline

 

#5 2023-12-04 12:34:21

OHappyDay
Member
2023-02-08
37

Re: Bug report?

Outdated and unsupported software should be discontinued and replaced.
That is a matter of security!

Offline

 

#6 2023-12-04 21:40:40

Katryne
Member
2016-12-03
359

Re: Bug report?

OHappyDay, if you are not a Piwigo user, you are not concerned, Also, stop grumbling about what you don't know. I still use PunBB, from which FluxBB is forked. It has been regularly updated and I never met any issue.


http://photos.katrynou.fr/ v.14.1.0 https://album.chauvigne.info/ v.13.8.0
Système d'exploitation: Linux - Hébergeur 1&1-Ionos PHP: 8.0.28 - MySQL: 5.7.38
Bibliothèque graphique: External ImageMagick 6.9.10-23

Offline

 

#7 2023-12-05 06:38:25

executive
Member
2017-08-16
1214

Re: Bug report?

OHappyDay wrote:

That is a matter of security!

Security of what?

Did you put your bank PIN in the forum?

Offline

 

#8 2023-12-05 07:47:49

Drift
Member
2023-11-06
4

Re: Bug report?

Katryne wrote:

OHappyDay, if you are not a Piwigo user, you are not concerned, Also, stop grumbling about what you don't know. I still use PunBB, from which FluxBB is forked. It has been regularly updated and I never met any issue.

I guess my point is not understood. Using outdated software is a security risk. No matter how it is sugar coated it is a fact. Thats why companies regularly do updates. No idea who the previous poster is but he/she is correct to a point as well. Sometimes I'm sorry I ask questions here.

Regardless, its all good. This is a free software that is provided. Cant complain about that. Simply concerned with security and as stated, the answer has been provided.

Offline

 

#9 2023-12-05 07:56:24

executive
Member
2017-08-16
1214

Re: Bug report?

Drift wrote:

is a security risk.

Could somebody please explain what is at risk here?

Offline

 

#10 2023-12-06 02:45:39

erAck
Only trying to help
2015-09-06
1971

Re: Bug report?

In general any old (specifically PHP) unmaintained software facing the internet does have security bugs. FluxBB is now four years without maintenance. So the OP has a point in assuming "potential security issues" (which may not directly affect users but server security, and thus maybe users again).


Running Piwigo at https://erack.net/gallery/

Offline

 

#11 2023-12-06 10:32:44

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13773

Re: Bug report?

The original question of this post is valid. Let's be transparent (as usual) about the situation.

Many years ago, we have switched to punbb/fluxbb for our forums. Because it was a PHP project, I have made many changes in the core. Not as plugins, because they did not exist at that time (not sure they exist now).

In april 2020 piwigo.org has been hijacked. We have received many attack attempts on all our web applications. We still don't know which one was faulty. We have completely redesigned our servers organizations to split activities on several virtual servers. Each web application has its own virtual private server VPS. For example, the forum has its own VPS. The extension manager has its own VPS... This way, we hope a successful attack on one application should not impact other applications.

We have also added a system which live-analyzes HTTP queries and if it considers a query as suspicious, automatically bans the IP address. Very effective.

I have also implemented many additional checks in fluxbb to make sure user input variables are "as expected". Do not try to play with this system, unless you want your IP address to get quickly (like "seconds") banned for a long time...

My main concern with FluxBB is not security. It's more "latest PHP versions compatibility". It's already difficult to make Piwigo (and its plugins) to be fully compatible with PHP 8.3, we don't want to deal with it on applications that are not our core business.

That's why we are rewritting the extension manager (expected very soon) and we have made some deep tests to replace FluxBB by Flarum. This test did not reach production, but we may soon restart and make the last step. Another solution would be to rely on an external service like Discourse, but the cost is quite high in my opinion.

Offline

 

#12 2023-12-06 11:20:17

OHappyDay
Member
2023-02-08
37

Re: Bug report?

Thanks for the clarification. So from the server standpoint the application seems to be safe.

Nevertheless outdated software that cannot be fixed in case bugs are discovered should definitely be avoided.

Security here means (in my opinion) that the application is e.g. safe against code injection or other malicious acitivities that could affect the users of the forum (and this has nothing to do with posting private data like bank accounts or such).

Just my 5 cents on that (and yes, I am a happy user of Piwigo).

Last edited by OHappyDay (2023-12-06 11:20:48)

Offline

 

#13 2023-12-06 11:32:28

erAck
Only trying to help
2015-09-06
1971

Re: Bug report?

Thanks for details. Indeed, I can confirm it's quite easy to hit a 403 IP ban, I experienced that myself already a few times when for some reason a request was invalid. Luckily I usually can force a dynamic IP change ...

Re Discourse, that would be not only costly, but also quite a different user experience. I know from other projects that were on a bulletin board like forum software and switched to it that non-technical people who aren't used to it tend to struggle with the change, though the Discourse system is very capable and offers many features.


Running Piwigo at https://erack.net/gallery/

Offline

 

#14 2023-12-06 19:21:15

homdax
Member
Sweden
2015-02-02
283

Re: Bug report?

As a former security manager and project lead of another php/mysql web app, I concur most emphatically  in the difficulties encountered with keeping up with the evolution and changes of the different frameworks used, in this case not just php, but also css, sql, a variety of scripting languages, and last but not least plain old html. Probably more.

There is a real lack of concern about solutions growing old, and the code they are built upon becoming deprecated and often unsafe. That is also one of the reasons I hardly ever modify core code, just in case it might break next upgrade. I do not take that chance.

One can mitigate that in many ways, but the need to replace a dated and potentially insecure platform, in this case this forum, must of course eventually be addressed and I am happy to see the Piwigo team is aware and has plans for that.

From a real world example most may recognize, the day your smartphone or tablet no longer gets updated by the manufacturer, be that Apple, OnePlus, Motorola, or Samsung, it becomes a security liability from day one.

Last edited by homdax (2023-12-06 19:22:13)

Offline

 

#15 2023-12-07 01:28:23

executive
Member
2017-08-16
1214

Re: Bug report?

OHappyDay wrote:

malicious acitivities that could affect the users of the forum

how?
Genuinely curious.

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact