Development Discussion Board

[Marshalrusty]

Use this topic to discussion the Downtime and Server Compromise announcement

Edit: For clarification, this was not a result of a security issue with phpBB3. PHPList, an external product that is not packaged with phpBB, but was used on phpbb.com, was compromised. There are no updates required for your phpBB board.

[Rocko444]

I think Phpbb.com should install more sercuity features.

[Marshalrusty]

Again, this happened due to an outdated software installation. Patching the vulnerability would have prevented this from being possible.

[Rocko444]

Patching the vulnerability would have prevented this from being possible.

What does that mean?

[griffinmt]

I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!

Martyn

[Marshalrusty]

Patching the vulnerability would have prevented this from being possible.

What does that mean?

I'm not sure how to otherwise say it. If the security hole in the software was patched in time, it would not have been possible to exploit it. Keeping software up to date is absolutely key in preventing such things.

I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!

Martyn

The solution would be to update PHPList to the latest version. The latest version does not have the vulnerability that was used.

[Phil]

Simply enough, it was a matter of patching the vulnerability in PHPList as their website notes. This serves as an excellent reminder of why keeping up to date is important -- we were only 3 days late, and were compromised as a result of it. There is no "patching" of any sort to do to the phpBB software.

Edit: In fact, we were attacked already 2 weeks before the update to PHPList was released. It was a 0-day exploit.

[Garebooo]

I hope every thing will back as it was and better

any Help we can give to the Team we will be glad


Regard

[ToonArmy]

I hope every thing will back as it was and better

any Help we can give to the Team we will be glad

Things will be back and better in good time

You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.

[parasolx]

I have read and qouting the news from phplist.com about this vulnerability:

We've released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.

Everyone using any version up to this one is advised to upgrade as soon as possible. Any clients hosted by Tincan have already been patched or upgraded.

Actually, they told to do this if didn't want to patch/upgrade:

If you don't want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:

----------
if (isset($_REQUEST['_SERVER'])) { exit; }
----------

This will at least stop your installation from being vulnerable to this attack.

What i don't understand here is, how to patch? What i need to patch/upgrade?