If you are unfortunate enough to have a bunch of PHPBB installations on your servers you should probably check out this post that my server admin passed along to me this morning.
PHPBB has been risky business for a while in my opinion, we have weened most of our clients away from PHPBB over the years due to random defacements and new vulnerabilities that popup every time you turn around. There are however some good alternatives to PHPBB on the market, and even some that are open-sourced.
A vulnerability in the PHPlist newsletter manager, which was publicly disclosed in mid-January but not fixed until two weeks later, allowed an attacker to access critical files on phpBB.com, the person claimed over the weekend.
In a post on Blogger on Saturday, a person who claims to have breached the Web site of open-source online community software phpBB gave a detailed account of how he did it. Using a vulnerability in PHPlist publicly disclosed on January 14, the attacker gained access to the password and configuration files for the server, according to the post. The attack occurred before the PHPlist developers issued a patch for the problem on January 29.
"So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam," the self-proclaimed attacker wrote.
The incident matches the description of the attack posted by administrators of phpBB.com on Monday.
"The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file," the group stated. "He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly."
The attack is not the first time that an open-source project’s developers have faced a hacker. In 2002, the phpBB forum was taken offline after vandals defaced the site. In 2001, Apache and Sourceforge were both defaced by a group known as Fluffy Bunny, whose leader was arrested two years later. And, in 2003, the GNU Project acknowledged that hackers had access to their files servers for months.
The phpBB group recommended that members of the list that have reused their passwords on other Web site immediately change their credentials.
"Using the same password across multiple sites is not security wise and should not be done under any circumstance," the phpBB group said. "Additionally, you should change your password on phpBB.com, when it becomes available."
As of Thursday morning, the phpBB.com was still down for maintenance.
If you have tips or insights on this topic, please contact SecurityFocus.
Alleged attacker flaunts details of phpBB hack
Questions or Comments?