[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

[Discussion] Downtime and Server Compromise

Post by Marshalrusty » Mon Feb 02, 2009 12:07 am

Use this topic to discussion the Downtime and Server Compromise announcement

Edit: For clarification, this was not a result of a security issue with phpBB3. PHPList, an external product that is not packaged with phpBB, but was used on phpbb.com, was compromised. There are no updates required for your phpBB board.
Last edited by Phil on Mon Feb 02, 2009 4:24 am, edited 1 time in total.
Reason: Add clarification

Rocko444
Registered User
Posts: 9
Joined: Sun Feb 01, 2009 11:57 pm

Downtime and Server Compromise

Post by Rocko444 » Mon Feb 02, 2009 12:10 am

I think Phpbb.com should install more sercuity features.

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Mon Feb 02, 2009 12:19 am

Again, this happened due to an outdated software installation. Patching the vulnerability would have prevented this from being possible.

Rocko444
Registered User
Posts: 9
Joined: Sun Feb 01, 2009 11:57 pm

Re: [Discussion] Downtime and Server Compromise

Post by Rocko444 » Mon Feb 02, 2009 12:24 am

Marshalrusty wrote:Patching the vulnerability would have prevented this from being possible.
What does that mean?

griffinmt
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 12:26 am

Re: [Discussion] Downtime and Server Compromise

Post by griffinmt » Mon Feb 02, 2009 12:33 am

I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!
:x
Martyn

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Mon Feb 02, 2009 12:34 am

Rocko444 wrote:
Marshalrusty wrote:Patching the vulnerability would have prevented this from being possible.
What does that mean?
I'm not sure how to otherwise say it. If the security hole in the software was patched in time, it would not have been possible to exploit it. Keeping software up to date is absolutely key in preventing such things.
griffinmt wrote:I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!
:x
Martyn
The solution would be to update PHPList to the latest version. The latest version does not have the vulnerability that was used.

Phil
Registered User
Posts: 185
Joined: Sun Mar 11, 2007 3:20 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phil » Mon Feb 02, 2009 12:40 am

Simply enough, it was a matter of patching the vulnerability in PHPList as their website notes. This serves as an excellent reminder of why keeping up to date is important -- we were only 3 days late, and were compromised as a result of it. There is no "patching" of any sort to do to the phpBB software.

Edit: In fact, we were attacked already 2 weeks before the update to PHPList was released. It was a 0-day exploit.
Last edited by igorw on Fri Feb 06, 2009 12:54 pm, edited 1 time in total.
Reason: adding correction
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.

Garebooo
Registered User
Posts: 1
Joined: Tue Nov 15, 2005 8:23 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Garebooo » Mon Feb 02, 2009 1:57 am

I hope every thing will back as it was and better

any Help we can give to the Team we will be glad


Regard
phpBBArabia • phpBB Arabic Support

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Mon Feb 02, 2009 2:03 am

Garebooo wrote:I hope every thing will back as it was and better

any Help we can give to the Team we will be glad
Things will be back and better in good time :)

You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

parasolx
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 3:07 am

Re: [Discussion] Downtime and Server Compromise

Post by parasolx » Mon Feb 02, 2009 3:15 am

I have read and qouting the news from phplist.com about this vulnerability:
We've released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.

Everyone using any version up to this one is advised to upgrade as soon as possible. Any clients hosted by Tincan have already been patched or upgraded.
Actually, they told to do this if didn't want to patch/upgrade:
If you don't want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:

----------
if (isset($_REQUEST['_SERVER'])) { exit; }
----------

This will at least stop your installation from being vulnerable to this attack.
What i don't understand here is, how to patch? What i need to patch/upgrade?

Post Reply