[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
dsiembab
Registered User
Posts: 4
Joined: Mon Feb 09, 2009 5:40 pm

Re: [Discussion] Downtime and Server Compromise

Post by dsiembab »

@3di
What I am trying to say is the exploit was always their. So day zero is an excuse for writing bad code? check this link out it might help you out understanding what I mean http://www.onlamp.com/pub/a/php/2003/03 ... urity.html. Yeah 2003 so does that make the exploit day zero. I don't think so. :lol: I am LMFAO because a day zero excuse is a bad excuse for bad coding practices. Look at the exploit.

Code: Select all

Code Snippet:
/lists/admin.php #line:10-18

if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
  # fix register globals, for now, should be phased out gradually
  # sure, this gets around the entire reason that regLANGUAGE_SWITCHister globals
  # should be off, but going through three years of code takes a long time....

  foreach ($_REQUEST as $key => $val) {
    $$key = $val;
  }
}

/lists/admin.php #line:41-56

if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
  print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
  include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
  print '<!-- using '.$cline["c"].' -->'."\n";
  include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
#  print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
  include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
  print '<!-- using ../config/config.php -->'."\n";
  include "../config/config.php";
} else {
  print "Error, cannot find config file\n";
  exit;
}

Please don't defend people for not checking code they use on their websites.

User avatar
3Di
Registered User
Posts: 771
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

zomg.. please provide a snippet of the phpbb3 code that's poorly written if you can, I doubt that.

the hack has been issued through a thirdy party software, phplist. DEVeloppers are enough smart and pro to recognise a bad written software, being myself a former MOD Team validator I can say it is not so easy to catch a bug or a security issue also if you read the code twice in some case, I believe I'm an human being like they are.
Please don't defend people for not checking code they use on their websites.
Yes I do because of the reasons I above explained. :)

awaiting. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

PerfectReign
Registered User
Posts: 2
Joined: Thu Feb 10, 2005 10:40 pm

Re: [Discussion] Downtime and Server Compromise

Post by PerfectReign »

Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Highway of Life »

There is still no timeframe for getting the site back online. As stated on the podcast, the hope is this week, but don’t hold your breath.

@dsiembab, the point is that we (the phpBB Teams) should not have to validate 3rd-party scripts. It’s a travesty that because not all developers hold the same high standards that the phpBB Developers do, that we will have to validate these third-party scripts.
Image

JRSweets
Registered User
Posts: 14
Joined: Tue Oct 12, 2004 4:48 pm
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by JRSweets »

PerfectReign wrote:Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.
Acyd Burn posted this yesterday...
Acyd Burn wrote:At the moment everything is going quite smooth. Depending on the time we are able to work on it (we all have day jobs too ;)) i predict(!) 1-3 days. It will definitely not be an additional week. :)

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [Discussion] Downtime and Server Compromise

Post by EXreaction »

dsiembab wrote:@3di
What I am trying to say is the exploit was always their. So day zero is an excuse for writing bad code?
Yes, it DOES make it a 0 day attack. http://en.wikipedia.org/wiki/Zero_day_attack
A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or patchfree computer application vulnerabilities. The term Zero Day is also used to describe unknown or Zero day viruses.

Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor .

blueprins
Registered User
Posts: 18
Joined: Mon Mar 07, 2005 9:11 pm

phpbb.com

Post by blueprins »

Hello

When will phpbb.com open is there any date ? However I see , my old posts is deleted. Will be the any posts deleted or will they readd :shock:

thanks

User avatar
stickerboy
Registered User
Posts: 94
Joined: Fri Jun 04, 2004 3:05 pm
Location: Airdrie, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by stickerboy »

Read the post above yours
I'm a web-designing prototyping tech-support musician
|| Twitter || Flickr || BandCamp ||
Please don't contact me via pm/email unless I ask you to/say it's ok

dsiembab
Registered User
Posts: 4
Joined: Mon Feb 09, 2009 5:40 pm

Re: [Discussion] Downtime and Server Compromise

Post by dsiembab »

https://samate.nist.gov/index.php/Web_A ... rabilities
http://www.owasp.org/index.php/Phoenix/Tools
I am going to use some of these against phplist 2.10.8 and if none of them pick it up then hey you are all right and I am wrong. If any of these programs show the exploit I will show the program name and the date the program was last updated. Better to check on something that could have been prevented instead of playing the I'm right, you're wrong game. But, if I'm right you'll never hear the end of it. ;) not, I'm only kidding.

@Highway of Life -
Highway of Life wrote:@dsiembab, the point is that we (the phpBB Teams) should not have to validate 3rd-party scripts. It’s a travesty that because not all developers hold the same high standards that the phpBB Developers do, that we will have to validate these third-party scripts.
ounce of prevention. pound of cure. The thing is you're right you shouldn't have to, I shouldn't have to look both ways before crossing a road either, but I know if I don't their is a chance for an accident. It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.

@EXreaction - You are exactly right. here's one for ya trickle down effect. :lol: used in a sentence: The trickle down effect from the zero day attack has caused me to wonder if I need male enhancement from the spam that I am receiving. : trickle down effect.

I am just saying that it could have been prevented and now I am going to research how.

neilwiththedeal
Registered User
Posts: 1
Joined: Tue Feb 10, 2009 2:06 am

Re: [Discussion] Downtime and Server Compromise

Post by neilwiththedeal »

Can people please post what the personal effects of the compromise have been? Most notable for me is that my email was clearly included on a sale list to spammers (however it creeps me out that each one I get states that I signed up from my work IP, which it displays in the spam email...how was that # retrieved?).

Also just what information was leaked and posted? Just email/pw/forum site im assuming. Are people still saying the spam influx on forums isn't related to the hack? My site is so small, I can't imagine spammers would have interest if it were not related to the leaking of our info. Also we just opened in Sept 08, not really enough time for word about our forum to circulate...?

Besides all that, thank you phpbb your site had been great for us and made everything possible. :)

Post Reply