It just happens that I was going to use phpbb for my site, I have used it in the past and do understand that the exploit was from a third party extension. But some people do not and I think that this will hurt your community, well not the established community but anyone new to web development looking for a forum program.
It's ironic that the main phpbb site was not following their own mantra of security. The hacker just seems like a stupid schmuck. If he was smart he would've not let anyone know that the site was being hacked in the first place and covered his tracks.
I will still use phpbb's software, but others might feel scorned especially if they didn't have a third party e-mail address instead of their ISP.
This can happen to any application that utilizes third party software, you don't have to have a bs in computer sciences to write a third party add-on or plugin. Their are a lot of scripts out their to check php software for vulnerabilities, but my rule of thumb when writing php scripts is use full directory paths and url paths at all times. A template file, a parser, in the install directory and a command to write the file to the directory. Drop the get requests, you are just asking for trouble.
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
that's understandable, but you?dsiembab wrote:But some people do not and I think that this will hurt your community, well not the established community but anyone new to web development looking for a forum program.
It was a 0-days exploits, remember that.dsiembab wrote:It's ironic that the main phpbb site was not following their own mantra of security.
2 weeks are enough? Tracks have been covered very well AFAIK.dsiembab wrote:If he was smart he would've not let anyone know that the site was being hacked in the first place and covered his tracks.
Do you thinks the Developers here are so noobs? Don't you think they have (free software = free spare time to use for..) a lot of things to do, a very lot. ?dsiembab wrote:you don't have to have a bs in computer sciences to write a third party add-on or plugin.
Would you mind to share all of those links?dsiembab wrote:Their are a lot of scripts out their to check php software for vulnerabilities
Please check the core code.. you're a coder, have fun.dsiembab wrote:but my rule of thumb when writing php scripts is use full directory paths and url paths at all times. A template file, a parser, in the install directory and a command to write the file to the directory.
It's never too late in order to learn, be my teacher please.dsiembab wrote:Drop the get requests, you are just asking for trouble.
Regards.
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Re: [Discussion] Downtime and Server Compromise
Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.3Di wrote:It was a 0-days exploits, remember that.
dsiembab wrote:you don't have to have a bs in computer sciences to write a third party add-on or plugin.
What I meant was anyone can write a plugin with no sense of security.
Did I say that, no. The person who hacked the site checked a website for the exploit. I know the average joe somebody will just drop a add-on or plugin in their website and forget about it. But the lesson I think learned here is check the plugin before you use it and if it needs tweaking tweak it and tell the developer of the script. Did you see the exploit and how it was used. It was php security day one stuff. I know grandma and here bridge pals are not writing this software, but they could be writing the plugins.3Di wrote:Do you thinks the Developers here are so noobs? Don't you think they have (free software = free spare time to use for..) a lot of things to do, a very lot. ?
Google is your friend. I don't use them I look at the code first. I'm not joe somebody, especially when it comes to my users and their privacy. I know it adds development time, but without the trust of the users, forum are nothing.3Di wrote:Would you mind to share all of those links?
LOL lesson 1: Look at the third party code before implementing it into your site. Patience daniel-san.3Di wrote:It's never too late in order to learn, be my teacher please.
Re: [Discussion] Downtime and Server Compromise
dsiembab wrote:Patience daniel-san.
His name is "Marco".
Do not hire Christian Bullock he won't finish the job and will keep your money
- darcie
- Community Team
- Posts: 189
- Joined: Mon Mar 12, 2007 7:32 pm
- Location: Davis, California
- Contact:
Re: [Discussion] Downtime and Server Compromise
The exploit was posted on January 14th, and within hours the attacker found it and used it to gain entrance. A patch was not released until January 28th. Hence, zero day exploit.dsiembab wrote:Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.3Di wrote:It was a 0-days exploits, remember that.
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
Yes, and very patient.RMcGirr83 wrote:dsiembab wrote:Patience daniel-san.
His name is "Marco".
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
Exactly, on a side note it was released on the 29th of January: http://www.phplist.com/?lid=274 ..Darcie wrote:The exploit was posted on January 14th, and within hours the attacker found it and used it to gain entrance. A patch was not released until January 28th. Hence, zero day exploit.dsiembab wrote:Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.3Di wrote:It was a 0-days exploits, remember that.
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
- darcie
- Community Team
- Posts: 189
- Joined: Mon Mar 12, 2007 7:32 pm
- Location: Davis, California
- Contact:
Re: [Discussion] Downtime and Server Compromise
I stand corrected, then. Psh, time zones. I was partly right- It was still the 28th for me.
Re: [Discussion] Downtime and Server Compromise
I still yet wonder- who was the hacker, and is there any logs of the hacker's evildoing?
jimhap
jimhap
Re: [Discussion] Downtime and Server Compromise
Do a Google search for "phpbb.com hacked" and you can read his blog plus other peoples' blogs.jimhap wrote:I still yet wonder- who was the hacker
Read this topic. In a word, no.jimhap wrote:and is there any logs of the hacker's evildoing?