phpBB Academy at StarTrekGuide

[Highway of Life]

Hi everyone,

I am very sorry to report that phpBB.com (the website) was hacked last night around 04:00 GMT time.
The hacker exploited a vulnerability in a third party script called PHPList, which is the Mailing List script that phpBB uses to update everyone on new releases, etc.

He then used this vulnerability to compromise the rest of the server including the phpBB.com forums. For the safety of everyone and to contain the attack, the phpBB team has taken down all of the .com services until the situation can be fully dealt with and resolved.
From PHPList, here is the details of the vulnerability that was patched 3 days ago.

29 January 2009
We've released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.

Everyone using any version up to this one is advised to upgrade as soon as possible. Any clients hosted by Tincan have already been patched or upgraded.

If you don't want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:

Code: Select all

if (isset($_REQUEST['_SERVER'])) { exit; } 

This will at least stop your installation from being vulnerable to this attack.

If you are running PHPList, it is vital that you upgrade to this security update immediately: http://www.phplist.com/?lid=274

Once again I want to stress that the attack in no way exploited a phpBB3 vulnerability, and there were no new vulnerabilities found. Everyone who runs phpBB is NOT in danger of an attack, you do not need to do anything.

As phpBB.com is now down, we will be working in full capacity to answer any and all phpBB3 related support questions.
You may discuss this announcement in this topic.

- Highway of Life
STG Co-Founder and phpBB.com Modifications Team

It should be noted that you should change the passwords of any accounts that may have shared a password with a Codeforge, Area51, or phpbb.com account, as well as any of the commit mailing lists should you have subscribed to one.

[damien Damien]

I've been following this story since 10pm EST last night, idleing in all phpbb chat channels i'm aware of, and researching all information i could, its a sad day when someone spends their time simply to do wrong to others, i've met a few hackers in my day, even thought they were a 'bit cool' back in my earlier days, but meeting many of phpbb's developers and seeing the effort you guys put into this FREE open source project, well its pathetic that someone would attack u guys and i'm sorry that someone would do that to you guys of all people!

Keep up the good work phpbb... I'm sure you'll recover!

[Erik Frèrejean]

I'm sure you'll recover!

Probably yes, but it is quite a mess with a lot of questions.
A quick request though if you find anything related to this on the internet please don't post links to it on the board (any board).
In stead of that past it in a pm and sent it to myself or any other phpbb team member active on this board.

~ Erik Frèrejean
phpBB Support Team

[Highway of Life]

There is currently no timeframe for when phpBB.com will be back online. The Teams will review all the information and data very thoroughly before bringing anything back online, one of the reasons is that we want to ensure that the hacker did not insert any backdoors that could be exploited later. The Teams will also be reviewing all third-party scripts to ensure their stability before bringing them back into usage.

What lessons can be learned?
A lot, actually.

1. For those who are not familiar with Security, but are server or board administrators, this will hopefully be a wake-up call demonstrating how important security is for servers and PHP scripts running on them. One of our aims here on phpBB Academy at StarTrekGuide is to educate users on security to ensure that they are secure and that the scripts they create are secure.
   
   
2. The phpBB.com MOD Validation Process is Vital to the security of your board. This again demonstrates why it is so critical that users use only MODs that are validated within the phpBB.com MOD Database as they have gone under a rigourous code security scrutiny. This is why it is not recommended to install MODs from just anywhere.
   
   
3. Learn Security. If you are an server or board administrator, it would be a very good idea for you to learn some basic security principles that would help you to prevent hacking attacks on your own server. The bigger your site is, the bigger target it is, the more the hackers will look for ways to exploit vulnerabilities within your site. If you are knowledgeable with security, you will constantly be looking for vulnerabilities within your own site and scripts and finding ways to improve the security of your board and server.
   
   
4. Code Securely. If you are a MOD Author, Application developer, or other code developer, this demonstrates why it is so important to ensure that your code is secure, but never assume that it is absolutely secure. You don?t want to make the mistakes that PHPList made with those kind of basic and simple vulnerabilities that are able to do so much damage.
   
   
5. Use the phpBB3 Framework. If you are a website developer or application developer, it is important to use a framework like phpBB3, and I don?t mean the bulletin board itself, but the framework. The DBAL, request_var, template system, etc. This framework has many security measure in place that make coding securely much easier. As long as you are integrating with the phpBB3 framework, you can utilise these basic functions, especially when dealing with the database or grabbing user input, you would not do things like allow the use of things like _SERVER[ConfigFile], and NEVER EVER EVER trust user input.
   This was precisely the flaw within PHPList, it trusted, or allowed user input that it should not have allowed.

If you have any questions or concerns, please post them here. Again, we will be happy to educate and assist all of those who would like to learn more about security, we will be putting a heavy focus on teaching this aspect here on STG from this time forward.

[mrmax Max Lexandre]

This is soo "hard to understand"... hackers must get alot of problems because instead they hack what DESERVES be hacked hack sites like phpbb, free sites of a great script! Alot of sites in web hacking they will be good to all web but no, they insist in this for fun.
If I found the guy(guys) who hacked phpbb in street, I will see if they hack me ^^

I will call the police..

[damien Damien]

I'm sure you'll recover!

Probably yes, but it is quite a mess with a lot of questions.

I can only imagine what all phpbb had on their servers and i'm sure that goes beyond my imagination. Part of the reason i'm so upset about it, phpbb is now wasting time fixing this hackers attack and making sure the server is secure when they could be supporting topics, writing mods, and improving development of phpbb. I'm sure its a mess but thank god phpbb has some real smart cookies in charge. I have faith

A quick request though if you find anything related to this on the internet please don't post links to it on the board (any board).
In stead of that past it in a pm and sent it to myself or any other phpbb team member active on this board.

of course, i was hoping someone would say this publicly! It's vital information that doenst need to be spread around.

[darkonia]

lol the police...rofl...

[Highway of Life]

I will call the police..

Unfortunately, it?s not that simple.
Hackers always cover their tracks, with proxies, log manipulation and deleting scripts and files that they used to gain access, this makes them very difficult to track.

[novanilla]

This is interesting... I'm looking forward to learning much more about site security and steps we can take to prevent hacking. phpBB had a pretty bad reputation a couple of years ago, and it's gratifying to know internet searches don't pull up much about Olympus' security problems lately.

[Ika]

This is interesting... I'm looking forward to learning much more about site security and steps we can take to prevent hacking. phpBB had a pretty bad reputation a couple of years ago, and it's gratifying to know internet searches don't pull up much about Olympus' security problems lately.

Again, This is not a phpBB vulnerability. This was a 3rd party mailing list script that was running on the server being exploited. It is important to remember that. Any site running the mailing list software was just as vulnerable.