executive wrote:

did you enter something that you're concerned about?
Just use a burner email account and a unique password there's no threat to you.

No, nothing I am concerned about at this point but I do like to keep my own things up to date. My email is fine and secure with a high level random password. I just know over time older software thats gone unpatched can lead to issues. Just a question I was curious about.

Thank you.

Outdated and unsupported software should be discontinued and replaced.
That is a matter of security!

OHappyDay wrote:

That is a matter of security!

Security of what?

Did you put your bank PIN in the forum?

Drift wrote:

is a security risk.

Could somebody please explain what is at risk here?

The original question of this post is valid. Let's be transparent (as usual) about the situation.

Many years ago, we have switched to punbb/fluxbb for our forums. Because it was a PHP project, I have made many changes in the core. Not as plugins, because they did not exist at that time (not sure they exist now).

In april 2020 piwigo.org has been hijacked. We have received many attack attempts on all our web applications. We still don't know which one was faulty. We have completely redesigned our servers organizations to split activities on several virtual servers. Each web application has its own virtual private server VPS. For example, the forum has its own VPS. The extension manager has its own VPS... This way, we hope a successful attack on one application should not impact other applications.

We have also added a system which live-analyzes HTTP queries and if it considers a query as suspicious, automatically bans the IP address. Very effective.

I have also implemented many additional checks in fluxbb to make sure user input variables are "as expected". Do not try to play with this system, unless you want your IP address to get quickly (like "seconds") banned for a long time...

My main concern with FluxBB is not security. It's more "latest PHP versions compatibility". It's already difficult to make Piwigo (and its plugins) to be fully compatible with PHP 8.3, we don't want to deal with it on applications that are not our core business.

That's why we are rewritting the extension manager (expected very soon) and we have made some deep tests to replace FluxBB by Flarum. This test did not reach production, but we may soon restart and make the last step. Another solution would be to rely on an external service like Discourse, but the cost is quite high in my opinion.

Thanks for details. Indeed, I can confirm it's quite easy to hit a 403 IP ban, I experienced that myself already a few times when for some reason a request was invalid. Luckily I usually can force a dynamic IP change ...

Re Discourse, that would be not only costly, but also quite a different user experience. I know from other projects that were on a bulletin board like forum software and switched to it that non-technical people who aren't used to it tend to struggle with the change, though the Discourse system is very capable and offers many features.

OHappyDay wrote:

malicious acitivities that could affect the users of the forum

how?
Genuinely curious.