What we can learn from yesterday's phpBB.com hack

Yesterday the phpBB.com server got hacked. People who, like me, were there back in the days of phpBB2 will be reminded of the security flaws found in the software back then. However, this was not the cause of this hack. It was an unpatched version of another PHP package that caused the hack, which exposed amongst other things the full user database and several server passwords.

As some of you may know, I used to be the Support Team Leader of the phpBB Support Team back in the days of phpBB2. I've had a lot of shit thrown my way back then, together with the rest of the support team, trying to keep up with the releases, the flaws, the patches and the thousands and thousands of phpBB users that were hit by one of the security flaws.

Most of the users hit by security flaws were - fortunately and unfortunately - not users that were hit by unknown exploits or published exploits that had not been patched yet. Instead, most hits were easily gotten because a lot of users of the phpBB software didn't keep up with new versions and/or security patches. Instead, they left their old vulnerable version of phpBB running unpatched and open for exploiting. A lot of the criticism by users at that time was only partially fair; had they updated their forums to the latest version, they would not have been hit. Sure, it means there was an exploit in an earlier version, and that is not a good thing, but at least the phpBB group tried to patch vulnerabilities as soon as they were notified of the problem.

Because of the issues with security in phpBB2 though, the phpBB group decided to have their brand new code for phpBB3 to be thoroughly audited by what is probably the number one company in the world for PHP security: Stefan Esser's SektionEins. The issues found by SektionEins were quickly solved before the final release of phpBB3, ensuring a secure codebase to start with. So when I got notice of yesterday's hack (through an e-mail sent by the hacker to all subscribers of the phpBB announcement mailinglist), I was pretty sure it was not phpBB itself that was abused.

The hacker himself (herself?) confirmed this. The e-mail sent out contained a lot of details on how he got into the server using an exploit in an unpatched version of the phpList mailinglist manager. I seriously disagree with the decision of the hacker to also include a full export of the users table of phpBB.com, as well as the inclusion of other "private" information such as passwords, however I must say I was impressed with the level of detail that the hacker exposed on how he got into the server, and I think phpBB should learn something from this.

Seperate from that though, I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.

So even when you build your own application as secure as you can and have it audited by an external company, make sure that you not just have your application audited, but also the environment that it runs in.


February 2, 2009 - tags: php, security, hack, phpbb
Add comment

Comments

gravatar Dominik Dröscher: The problem was that the fix came two weeks after the initial break-in and just a few hours before he sent out the mail. It was not a known security issue before that. Even if we had added the fix as soon as possible, it would have changed nothing.

That doesn't change your point though. Keep your software up to date! Subscribe to mailing lists and always have someone available that can patch exploits quickly.


February 3, 2009
gravatar left: Hi Dominik,

I was not pointing fingers, I just took the phpBB.com hack as a high-profile example of the point. Still too often I notice that people don't properly update/patch their open source software, causing problems.
February 3, 2009
gravatar Stefan Esser: If the vulnerability used to compromise was indeed the phplist _server overwrite vulnerability then the Suhosin extension would have stopped this attack.
February 3, 2009
gravatar Rockeiro: And the point to this hacker's hack in the first place is..???? because I could???

What I really want to know from people in the know (oboviously you know a lot more than me) is what is REALLY being done with the user data table? I heard it was posted PUBLICLY? Why would someone do that?? If it is publicly posted, then where is it posted??
February 4, 2009
gravatar Rockeiro: OK. FOund the original blog where the guy posted his trophy hack here:
http://hackedphpbb.blogspot.com/

All the files may have been posted publicly at rapidshare but are no longer available. I'm sure they're underground by now in full circulation.

For a trophy hack, that was totally irresponsible to turn over a whole db to the internet underground like that. What an idiot. No sense of fair play what so ever. Remind me to post that picture I have of him diddling his sister.
February 4, 2009

Php5_zce_logo

not tested in IE


Upcoming events

I will be attending 17-04-2010: Pfcongres

Tags

1337 2008 2010 4developers accessibility AdaLovelaceDay09 advent agavi agile amsterdam apache apple article articles atk atkMetaNode audioscrobbler backwards compatibility barcelona bbc bbq beatstad belgium best practices bittorrent book books bughuntday caching cake cal evans cat cerf certificate cfp clear cms cologne common sense community conference conferences continuous integration crisis css custom datetime DbFinderPlugin decorator decorators deployment devdays development directoryindex documentation download dpc dpc09 DPC2008 dreamhost dv7 eclipse ed efficiency enterprise event events expertise ezcomponents facebook flickr framework frameworks freeze frontend fun games germany getting real google googletalk graceful degradation hack hackers hidden gem hiphop howto hp html http ibuildings icann ide imovie indy internet IPC ipc ipc08 javascript jobeet john peel joomla kubuntu left on the web lighttpd lime linux live london loudblog m2ts mac malware mambo marjolein meeting meme meta methodology microsoft movie music mysql namespace namespaces netbeans netherlands nllgg odmarco open source opinion ORM osx paradiso pavilion pear performance personal pfcongrez photo php phpabstract phpBB phpbb phpbelgium phpbenelux phpbnl10 phpgg phpitalia phpnw phpnw08 phptek phptek09 phpuk2009 phpUnderControl phpunit php|architect php|tek podcast politics portability postcrossing presentation presentations public qa recruiting refactoring review rewrite ruby on rails schedule script security seven things sfdaycgn simplexml slides smfony software sogeti solar sound standard standards static steer strings subversion symfony symfonycamp symfonyday symfonyUnderControlPlugin talk talks technology techportal tek09 telecommuting terratec terrorism testfest testing textpattern tips tld tomas unet usability usergroup validation vhost video vinyl virus warp weblogging wiki women work world world of warcraft writing xml xpath xsd yara year youtube ZCE zemanta zend zend framework zend server zend studio Zend_Form
© 2004 - 2010 Stefan Koopmanschap + Powered by Symfony, photos powered by Flickr, links powered by Delicious, Shanghai smilies by Iconbuffet. Feeds: rss / atom. Left on the Web v4.4.0.1