This is an archived low-energy page for bots and other anonmyous visitors.
Please sign up if you are a human and want to interact.
kiat has asked for the wisdom of the Perl Monks concerning the following question:
Hi Monks,
I would like to seek your opinion on the YaBB forum script ( http://www.yabbforum.com/ ). I've seen it used in a couple of sites and I like it very much. Has anybody used it before? What are your thoughts on it?
kiat
Edit kudra,
2002-09-21
Changed title
|
Re: What do people think of the YaBB forum script?
by Aristotle (Chancellor) on Sep 21, 2002 at 07:27 UTC
|
No strict, no warnings, no taint mode, lots of little text files - hm..
Update: Lots of global variables used to determine settings.. that reminds me of my nightmarish ventures in the UBB5 codebase.
I spent less than 10 mins grepping the sources and found this on /cgi-bin/yabb/Sources/Post.pl line 56:
fopen(FILE, "$datadir/$threadid.txt")
$threadid is taken directly from the CGI params as far as I can tell. I didn't look for more examples, a cursory grep revealed lots of samples.
fopen is defined in /cgi-bin/yabb/Sources/Subs.pl and does some cleaning up, but neglects to purge null bytes, pipes and backslashes. It does eat dots though.
I remember the YaBB site was broken into repeatedly. I'm not surprised.
Makeshifts last the longest.
| [reply]
[d/l] |
|
|
Well well...look what comes from the people who didn't even write their own BBS. YaBB happens to be a fine BBS; but I will admit that it can be better and more secure. But that is what YaBB2 is for :)
| [reply] |
Re: YaBB
by katgirl (Hermit) on Sep 21, 2002 at 09:58 UTC
|
I've got it on my site, http://www.queenfans.com/forum </blatantplug>
I think it's the best forum you can get for free - and better than some you have to pay for. Loads of features, and it gets updated with new ones, and new addons pretty often.
About the code... well, since I couldn't do anything like as good myself, I can't really complain about it - all I've ever changed in the code was to add a few more smilies, and that was just a bit of javascript so doesn't count here... | [reply] |
|
|
:^) # Hyper smiley!
| [reply]
[d/l] |
|
|
| [reply] |
Re: What do people think of the YaBB forum script?
by gryphon (Abbot) on Sep 21, 2002 at 14:27 UTC
|
Greetings kiat,
I've used UBB in the past, but now I'm running YaBB on three different sites. However, I only like YaBB because it's the best I've seen thus far and it's written in mostly human readable Perl. Here's how I look at it:
Pros:
- Really great feature set; maybe not as huge as some of the other boards out there, but good regardless
- Very intuative interface; I haven't had to field even a single support call/email
- User-value focused; provides "nifty" stuff that most average users find cool
Cons:
- Scary code design
- Doesn't use strict, warnings, or tainting
- Uses a series of global variables for configuration
- In default config/install, easily hackable
- Data files (lots of them) located by default in URL path
- Doesn't consistently use CGI.pm correctly
- Very not OO, even though a BB by design is
- Found a few bugs in the administration GUI
Honestly, when I first installed YaBB and started playing around with it, my first tought was, "Hmm... I wonder how long it would take me to rewrite this whole thing." I realized that it would take far more free time that I have, so I spent time hacking against the code. You can end up moving the data directories with there many files outside your Web documents file structure for slightly better security, but it takes a bit of hacking (even though the admin GUI suggests otherwise). Doing anything beyond some basic configuration requires hacking the source code, and that source is somewhat scary.
Overall, though, if I needed to launch a new BB next week, I'd use YaBB again... but I'd be really interested in reviewing the next release when it becomes available.
gryphon
code('Perl') || die;
| [reply] |
|
|
Now look at your own list. You've pointed out thrice as many cons as pros, and one of the cons is
- In default config/install, easily hackable
I don't think there's any "pro" to weigh that up. In merlyn's words, it's better to have a non-functional, secure site than a functional, insecure site.
I hate having to shoot stuff down without any alternatives to offer, but all messageboard CGIs I've had experience with so far simply sucked.
Makeshifts last the longest.
| [reply] |
|
|
Now look at your own list. You've pointed out thrice as many cons as pros, and one of the cons is: In default config/install, easily hackable
I agree; this is a major badness. However, I said default config/install. With some hacking, you can make things much less easy to hack. Simply moving and renaming most of the config files/dirs alone adds quite a lot. Simply moving away from the default locations and names will keep most of the cracker-kiddies away.
Now, I'm not saying that YaBB is a safe system. This is by no means true. However, it's perfect for an intranet system or a limited extranet. Not every Web site has to be bullet-proof.
Summary point: YaBB is not a great system, it just appears to be one of the better ones available. It has several flaws, most of which involve how it's programmed and security. However, it's about as good as it gets right now, and a lot of its flaws can be masked and patched with a little work.
In merlyn's words, it's better to have a non-functional, secure site than a functional, insecure site.
I disagree in some cases. Philosophically, the purpose of any Web site is to function. As long as you don't house sensitive information on your site, if you get hacked, you may loose service; worse case scenario: crackers use your platform to bounce into something more vital. A non-functioning site has no value. I posit that a non-functioning site is effectively equivilent to a formerly functioning hacked-and-taken-down site.
More specifically, though, is the choice between installing a security-challenged bulletin board system or nothing at all. In the latter case, there is no added value, but your site is more secure. In the former case, the added value must be measured against the potential risk and harm from successful hacking. It's not always the case that the potential risk and harm is all that great, and it may be considerably outweighed by added value to the average end-user.
Does this mean it's OK to write sloppy Web applications? No, of course not. Always use strict, warnings, and tainting; and always code with security in mind. I would never use PHP for any major public production Web site application for this very reason, but I'm fine with using PHP in an intranet enviornment. If Amazon asked me to setup a bulletin board system, I would not use YaBB; I'd take the time and code up my own. However, for the audiences and locations my bulletin boards needed to serve, the value-add of YaBB vastly outweighed the security risk.
gryphon
code('Perl') || die;
| [reply] |
|
|
In merlyn's words, it's better to have a non-functional, secure site than a functional, insecure site.
I have to agree with gryphon on this issue. That depends on your requirements. An intranet server is the perfect example of a case where security may be a low priority but there are others. Many personal sites which aren't meant for a lot more than communicating with family or friends don't have to be too concerned about security.
I'm paranoid about the sites that make sense for me to be paranoid about. Basically, that means the ones that might cause myself or my employer a loss if they were hacked. I keep in mind that a loss could include intangibles such as reputation.
-sauoq
"My two cents aren't worth a dime.";
| [reply] |
|
|
Re: What do people think of the YaBB forum script?
by kiat (Vicar) on Sep 21, 2002 at 19:47 UTC
|
Thanks all for the feedback!
The impression I get from reading your posts is that while YaBB is a feature-rich, easy-to-use, free board, it's lacking in security features. Aristotle also pointed out that it has lots of textfiles. Yah, that's something I don't like about it too. Also, I'm sure some of the perl files can be combined to make it easier to have overall view of what the code is doing. It thus seems that suitable hacking of the code may be necessary to improve on the security aspect if one is thinking of using it.
Regarding NMN's webboard, I've that too. But while I've no doubt that the coding is of high quality, I do think it's lacking in lots of other features - the look and feel, user-friendliness, etc. | [reply] |
How about Ikonboard?
by kiat (Vicar) on Sep 21, 2002 at 23:00 UTC
|
I did some research on Ikonboard and its seems to be a good choice? Any comments? | [reply] |
|
|
By popular request, I took a look at ikonBoard. The version I checked is the brand new 3.11.
My first look made me grimace:
$SIG{__WARN__} = sub {
my $wn = shift;
return if $wn =~ /Use of uninitialized value/i; #Most annoying
return if $wn =~ /name "(?:.+?)" used only once/i; #Very annoying
warn $wn;
};
Ugh. We're off to a grand start. No taint mode either. But strict! Well, it wants to be mod_perl compliant..
The codebase is pretty large so I didn't examine it as closely as YaBB's, even though I spent a lot more time looking at this one. However, the more I looked, the more it made up for the initially awful impression. The global configuration variables have been stuck into package iB and there's no other globals - parameters are passed as subroutine arguments. Great. Its SQL bindings modules appear to be carefully proofed against SQL injection attempts.
There is no central input validation instance, but wherever I looked data seems to get validated, somehow or other, at one point or other, in safe fashion. It still leaves me with the uneasy feeling in the stomach that a developer may overlook a variable or other and open up a hole, but in contrast to the YaBB team they do seem to have a healthy distrust for external input.
At this point, I feel I can recommend ikonBoard in good consciousness as a suitable messageboard engine.
Makeshifts last the longest. | [reply]
[d/l] |
|
|
Thanks, Aristotle! Your comments on ikonboard are really useful. I'm trying to study the code to understand what exactly certain pieces of code are doing but have difficulty understanding because of DB and SQL, which I know little about. However, I do understand the obvious ones. I thus agree with you that the ikonboard engine seems to be a good bet.
I would like to try and understand YaBB because I find it easier to understand when textfiles are used instead of SQL database. I want to be able to "hack" the code a little here and there to change certain things if necessary. With ikonboard, I'm quite helpless but I may be able to do something with YaBB.
| [reply] |
|
|
Re: What do people think of the YaBB forum script?
by c0bra (Acolyte) on Sep 23, 2002 at 11:29 UTC
|
Yes, there are some scary things in YaBB1, but YaBB2 is currently in progress.
It uses MySQL as a database mainly and will use text files via DBD::AnyData later on. It also uses strict and -w. YaBB2 will also include a mod_perl version, which I'm pretty sure no large BBS has done yet.
You can check out the sources here if you really want to:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/yabb/YaBB/ | [reply] |
|
|
| [reply] |
|
|
Yes, real request handlers. No easy configuration yet but I figure anyone wanting to use mod_perl will know what they're doing.
| [reply] |
|
|
ikonBoard really doesn't play nice with mod_perl. There's an attempt to support it, but it's not there yet. I just pulled down v3.11 this week to evaluate it, and I still haven't gotten it to run properly under mod_perl.
It runs great as a cgi app though. If anyone wants to try to hack it to make it run better under mod_perl, I'd suggest installing it asa cgi app first. If you don't, the installer doesn't support mod_perl at all. You'll have to touch installer.(cgi|pl) after each step so it recompiles and runs properly.
Code appears to be written well... great functionality as a cgi, but mod_perl support just isn't there yet.
| [reply] |
|
|
