What we can learn from yesterday's phpBB.com hack

Yesterday the phpBB.com server got hacked. People who, like me, were there back in the days of phpBB2 will be reminded of the security flaws found in the software back then. However, this was not the cause of this hack. It was an unpatched version of another PHP package that caused the hack, which exposed amongst other things the full user database and several server passwords.

As some of you may know, I used to be the Support Team Leader of the phpBB Support Team back in the days of phpBB2. I've had a lot of shit thrown my way back then, together with the rest of the support team, trying to keep up with the releases, the flaws, the patches and the thousands and thousands of phpBB users that were hit by one of the security flaws.

Most of the users hit by security flaws were - fortunately and unfortunately - not users that were hit by unknown exploits or published exploits that had not been patched yet. Instead, most hits were easily gotten because a lot of users of the phpBB software didn't keep up with new versions and/or security patches. Instead, they left their old vulnerable version of phpBB running unpatched and open for exploiting. A lot of the criticism by users at that time was only partially fair; had they updated their forums to the latest version, they would not have been hit. Sure, it means there was an exploit in an earlier version, and that is not a good thing, but at least the phpBB group tried to patch vulnerabilities as soon as they were notified of the problem.

Because of the issues with security in phpBB2 though, the phpBB group decided to have their brand new code for phpBB3 to be thoroughly audited by what is probably the number one company in the world for PHP security: Stefan Esser's SektionEins. The issues found by SektionEins were quickly solved before the final release of phpBB3, ensuring a secure codebase to start with. So when I got notice of yesterday's hack (through an e-mail sent by the hacker to all subscribers of the phpBB announcement mailinglist), I was pretty sure it was not phpBB itself that was abused.

The hacker himself (herself?) confirmed this. The e-mail sent out contained a lot of details on how he got into the server using an exploit in an unpatched version of the phpList mailinglist manager. I seriously disagree with the decision of the hacker to also include a full export of the users table of phpBB.com, as well as the inclusion of other "private" information such as passwords, however I must say I was impressed with the level of detail that the hacker exposed on how he got into the server, and I think phpBB should learn something from this.

Seperate from that though, I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.

So even when you build your own application as secure as you can and have it audited by an external company, make sure that you not just have your application audited, but also the environment that it runs in.