YaBB SE banned....

[MashedBuddha]

I wanted to make the developers aware of a recent situation with my host where all derivatives of YaBB have been banned because of security issues.  I do this only because I would like to keep using this forum, and I would like to know how I can convince my host that the 1.52 update (which I will update if I'm allowed to keep my forum) will fix these security issues.   I have some leeway with this host (long story) and I may be able to keep my forum with some more detailed information.  Here's their official announcement:

"We have taken the decision to ban all versions of YaBB bulletin board. There are numerous security problems that keep cropping up with this script, some of which are very serious indeed and have resulted in servers being compromized by enabling anyone to upload a binary to the server to either crash it or perform DoS attacks.

Whilst security problems occur on many scripts, YaBB seems to have more than its fair share, and the creators do not work fast enough to patch them and are very unprofessional in their manner about resolving them."

Please help.

thanks.

John

[Jeff Lewis]

What host?

[Douglas]

I wanted to make the developers aware of a recent situation with my host where all derivatives of YaBB have been banned because of security issues.  I do this only because I would like to keep using this forum, and I would like to know how I can convince my host that the 1.52 update (which I will update if I'm allowed to keep my forum) will fix these security issues.   I have some leeway with this host (long story) and I may be able to keep my forum with some more detailed information.  Here's their official announcement:

"We have taken the decision to ban all versions of YaBB bulletin board. There are numerous security problems that keep cropping up with this script, some of which are very serious indeed and have resulted in servers being compromized by enabling anyone to upload a binary to the server to either crash it or perform DoS attacks.

Whilst security problems occur on many scripts, YaBB seems to have more than its fair share, and the creators do not work fast enough to patch them and are very unprofessional in their manner about resolving them."

Hiyas, John!  This, unfortunately, is becoming the standard response we're hearing from several people that utilize YSE as their forum of choice.

What you could do is point your hosting company to

http://www.yabbse.org/community/index.php?board=1;action=display;threadid=22799

and have them read this.  Any time there is a security exploit, the YSE team works hard to close that hole and gets a fix out ASAP, in most cases within a few hours of the exploit.  Several of us scan SecurityFocus and BugTraq several times a week, as well as trying to exploit our own installations to ensure that all bugs and security holes are plugged.

Right now, 1.5.2 is the most secure version of YaBB SE available, and was released within two days after 1.5.1 Final was released due to a new exploit being exposed.

There were rumors about SSI.php having an exploit, which the entire Devel team has proven as a fallacy.  The person that originally posted the exploit did not take the time to investigate the "exploit" further.  We did.  With the way that settings.php is configured, it was impossible to re-produce the exploit.

Being a web host and a custom database programmer myself, I certainly wouldn't expose any of my sites, my client's sites or my client's servers to any system that poses a security risk.  With the speed that the YSE Devel team comes out with a fix for exploitable issues, I have full confidence in the team's work in ensuring that this is one heck of a stable forum software, and that these folks genuinely care when something is exposed.

I know I certainly wouldn't continue to support the system if they weren't on the ball with issues that needed to be addressed.

If you (or your host) have any questions, please encourage them to come to this very thread and post their concerns, or to email us.  They can certainly email me, if they wish (webmaster at therealms dot net) or David (david at yabbse dot org).  We'll be more than happy to work with them to help them close up any issues that need to be addressed.  

[Peter Duggan]

Here's their official announcement:

"We have taken the decision to ban all versions of YaBB bulletin board. There are numerous security problems that keep cropping up with this script, some of which are very serious indeed and have resulted in servers being compromized by enabling anyone to upload a binary to the server to either crash it or perform DoS attacks.

Whilst security problems occur on many scripts, YaBB seems to have more than its fair share, and the creators do not work fast enough to patch them and are very unprofessional in their manner about resolving them."

What host?

I'm prepared to hazard a guess:

This just in from the folks at eMark Hosting...

Dear Users,

We have taken the decision to ban all versions of YaBB bulletin board. There are numerous security problems that keep cropping up with this script, some of which are very serious indeed and have resulted in servers being compromized by enabling anyone to upload a binary to the server to either crash it or perform DoS attacks.

Whilst security problems occur on many scripts, YaBB seems to have more than its fair share, and the creators do not work fast enough to patch them and are very unprofessional in their manner about resolving them

[Jeff Lewis]

The thing is, go to http://www.securityfocus.com and search for any forum package, they all have their fair share. It just so happens that there is a smear campaign against SE but a couple of destructive people who can't code their own stuff.

[MashedBuddha]

This just in from the folks at eMark Hosting...

No, that's not my host.  Our site(s) are very large and we use a reseller account directly for this, without reselling space.  Because it's the same message, eMark Hosting apparently resells space from the same host that we use.  

To Peter: Thanks for your response, I've already contacted my host and so far they won't budge.  I gave them this:

http://www.yabbse.org/community/index.php?board=9;action=display;threadid=21830

But their response was so quick that there was no further investigation to the cause.  Here's what they said:

"Hi John,

There are still security issues that we have found with even this version of YaBB SE which have resulted in major vulnerabilites, and so it must still remain banned.

Use phpBB, Invision or vB and you are guaranteed a professional long term bulletin board, designed by people who care about ensuring that it remains secure. The team behind YaBB just don't cut it for us, they make very unprofessional comments and their patching leaves a lot to be desired. Until we can see a noticable improvement in not only their software, but also with their ability to fully and correctly patch them, we like many other hosts will not be authorizing the use of their software.

If you have not already converted, you must so so ASAP as we have already started removing remaining copied of YaBB from our servers. When we can lift the ban on this script, we of course will, although that will be when we make a public announcement about this and not before. I realize that this is an inconvenience, but you must realize that server security must come first every time."

[David]

If they are so unwilling to budge move to Infodoma.

[andrea]

There are still security issues that we have found with even this version of YaBB SE which have resulted in major vulnerabilites, and so it must still remain banned.

Somebody of the dev team should ask them which precise vulnerabilities they believe to know are still in the current version...

[Angel Skin]

Yes, surely by utilising this knowledge the dev's could resolve this issue and rebuild yabbse's reputation with web hosts.

[David]

Second guess, bmhost.com.

[Jeff Lewis]

Or rochenhost  

It's funny, YaBB has been around four years almost and you still get these lame comments like "Use phpBB, Invision or vB and you are guaranteed a professional long term bulletin board".

Just goes to show the knowledge of your host, I'd take my money elsewhere as they obviously have an alterior motive.

Look through any security site, all of those forums have the same security issues.

[Ben_S]

Yes, surely by utilising this knowledge the dev's could resolve this issue and rebuild yabbse's reputation with web hosts.

I doubt there is a ny knowledge, just a host without a clue.

Vote with your feet and move host is my advice, or keep trying to convince them...

[MashedBuddha]

I agree with your suggestions, and believe me we are very close to switching as there have been other serious issues.  What's stopping me?  The sheer agony of moving everything including our secure cert, scripts (although that's not too painful), etc, etc.  I only work a couple days a week that need to be devoted more to web marketing and design....

BTW, you still haven't guessed the host but keep trying

Most recently they did say they are thinking about it, as they are reviewing the information I gave them from the most helpful (free) developers here.

Also an interesting note: at the site you mentioned http://www.securityfocus.com
I did a search on YaBB SE and got a page of security issues.  A search on phpBB (my host's recommended forum script) resulted in SIX pages of vulnerabilities.  Told my host about that too.

[Jeff Lewis]

And your site is hostnoc.com? Your upstream provider rather...

And yes I told you about that securityfocus site Chances are they are getting bad information from some people.

[skoen]

Or maybe YaBBSE is so new, that the owners of the host haven't heard of YaBBSE before. Probarbly it's not the YaBBSE forum that creates the big security issue. It is maybe something else. But since they don't recognize YaBBSE, they blame it on that. phpBB, vB and Invision are more used by a bigger userrate. But I must say that YaBBSE is the easiest forum to administrate and configure. Though my host only allow working of one YaBBSE forum in one folder. But at least that host don't blame the secturity issues on YaBBSE.

My host is Interland by the way.