phpBB.com Hacked 1st Feb 09

General topics relating to phpBB3 to be posted in here.
Post Reply
User avatar
LDM
Site Admin
Site Admin
Posts: 1786
Joined: Thu May 29, 2008 6:51 pm

phpBB.com Hacked 1st Feb 09

Post by LDM »

If you are having trouble accessing the phpBB site, they are repairing it after a hack on their phpList installation. This doesn't mean a security loophole in phpBB3 installs, so do not panic.

This was written by Highway of Life on STG:
Hi everyone,

I am very sorry to report that phpBB.com (the website) was hacked last night around 04:00 GMT time.
The hacker exploited a vulnerability in a third party script called PHPList, which is the Mailing List script that phpBB uses to update everyone on new releases, etc.

He then used this vulnerability to compromise the rest of the server including the phpBB.com forums. For the safety of everyone and to contain the attack, the phpBB team has taken down all of the .com services until the situation can be fully dealt with and resolved.
From PHPList, here is the details of the vulnerability that was patched 3 days ago.

PHPList wrote:29 January 2009
We've released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.

Everyone using any version up to this one is advised to upgrade as soon as possible. Any clients hosted by Tincan have already been patched or upgraded.

If you don't want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:

Code: Select all

if (isset($_REQUEST['_SERVER'])) { exit; } 

This will at least stop your installation from being vulnerable to this attack.

If you are running PHPList, it is vital that you upgrade to this security update immediately: http://www.phplist.com/?lid=274

Once again I want to stress that the attack in no way exploited a phpBB3 vulnerability, and there were no new vulnerabilities found. Everyone who runs phpBB is NOT in danger of an attack, you do not need to do anything.
The site should be back up very soon I reckon.
Post Reply