Use this topic to discussion the Downtime and Server Compromise announcement
Edit: For clarification, this was not a result of a security issue with phpBB3. PHPList, an external product that is not packaged with phpBB, but was used on phpbb.com, was compromised. There are no updates required for your phpBB board.
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
[Discussion] Downtime and Server Compromise
Last edited by Phil on Mon Feb 02, 2009 4:24 am, edited 1 time in total.
Reason: Add clarification
Reason: Add clarification
Downtime and Server Compromise
I think Phpbb.com should install more sercuity features.
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
Again, this happened due to an outdated software installation. Patching the vulnerability would have prevented this from being possible.
Re: [Discussion] Downtime and Server Compromise
What does that mean?Marshalrusty wrote:Patching the vulnerability would have prevented this from being possible.
Re: [Discussion] Downtime and Server Compromise
I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!
Martyn
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!
Martyn
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
I'm not sure how to otherwise say it. If the security hole in the software was patched in time, it would not have been possible to exploit it. Keeping software up to date is absolutely key in preventing such things.Rocko444 wrote:What does that mean?Marshalrusty wrote:Patching the vulnerability would have prevented this from being possible.
The solution would be to update PHPList to the latest version. The latest version does not have the vulnerability that was used.griffinmt wrote:I too would like for that 'generic' statement to be explained.
If there are specific things to do, then indicate them. And from your comment, I 'assume' you have insight of exactly what issues have already been patched at phpBB?!
Martyn
Re: [Discussion] Downtime and Server Compromise
Simply enough, it was a matter of patching the vulnerability in PHPList as their website notes. This serves as an excellent reminder of why keeping up to date is important -- we were only 3 days late, and were compromised as a result of it. There is no "patching" of any sort to do to the phpBB software.
Edit: In fact, we were attacked already 2 weeks before the update to PHPList was released. It was a 0-day exploit.
Edit: In fact, we were attacked already 2 weeks before the update to PHPList was released. It was a 0-day exploit.
Last edited by igorw on Fri Feb 06, 2009 12:54 pm, edited 1 time in total.
Reason: adding correction
Reason: adding correction
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Re: [Discussion] Downtime and Server Compromise
I hope every thing will back as it was and better
any Help we can give to the Team we will be glad
Regard
any Help we can give to the Team we will be glad
Regard
phpBBArabia • phpBB Arabic Support
Re: [Discussion] Downtime and Server Compromise
Things will be back and better in good timeGarebooo wrote:I hope every thing will back as it was and better
any Help we can give to the Team we will be glad
You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.
Re: [Discussion] Downtime and Server Compromise
I have read and qouting the news from phplist.com about this vulnerability:
Actually, they told to do this if didn't want to patch/upgrade:We've released version 2.10.9 that fixes a local file include vulnerability.This vulnerability allows attackers to display the contents of files on the server, which can aid them to gain unauthorised access.
Everyone using any version up to this one is advised to upgrade as soon as possible. Any clients hosted by Tincan have already been patched or upgraded.
What i don't understand here is, how to patch? What i need to patch/upgrade?If you don't want to upgrade now, you can fix the vulnerability quickly by adding the following line to the top of the index file in the admin directory:
----------
if (isset($_REQUEST['_SERVER'])) { exit; }
----------
This will at least stop your installation from being vulnerable to this attack.