What we can learn from yesterday's phpBB.com hack
Yesterday the phpBB.com server got hacked. People who, like me, were there back in the days of phpBB2 will be reminded of the security flaws found in the software back then. However, this was not the cause of this hack. It was an unpatched version of another PHP package that caused the hack, which exposed amongst other things the full user database and several server passwords.
As some of you may know, I used to be the Support Team Leader of the phpBB Support Team back in the days of phpBB2. I've had a lot of shit thrown my way back then, together with the rest of the support team, trying to keep up with the releases, the flaws, the patches and the thousands and thousands of phpBB users that were hit by one of the security flaws.
Most of the users hit by security flaws were - fortunately and unfortunately - not users that were hit by unknown exploits or published exploits that had not been patched yet. Instead, most hits were easily gotten because a lot of users of the phpBB software didn't keep up with new versions and/or security patches. Instead, they left their old vulnerable version of phpBB running unpatched and open for exploiting. A lot of the criticism by users at that time was only partially fair; had they updated their forums to the latest version, they would not have been hit. Sure, it means there was an exploit in an earlier version, and that is not a good thing, but at least the phpBB group tried to patch vulnerabilities as soon as they were notified of the problem.
Because of the issues with security in phpBB2 though, the phpBB group decided to have their brand new code for phpBB3 to be thoroughly audited by what is probably the number one company in the world for PHP security: Stefan Esser's SektionEins. The issues found by SektionEins were quickly solved before the final release of phpBB3, ensuring a secure codebase to start with. So when I got notice of yesterday's hack (through an e-mail sent by the hacker to all subscribers of the phpBB announcement mailinglist), I was pretty sure it was not phpBB itself that was abused.
The hacker himself (herself?) confirmed this. The e-mail sent out contained a lot of details on how he got into the server using an exploit in an unpatched version of the phpList mailinglist manager. I seriously disagree with the decision of the hacker to also include a full export of the users table of phpBB.com, as well as the inclusion of other "private" information such as passwords, however I must say I was impressed with the level of detail that the hacker exposed on how he got into the server, and I think phpBB should learn something from this.
Seperate from that though, I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.
So even when you build your own application as secure as you can and have it audited by an external company, make sure that you not just have your application audited, but also the environment that it runs in.
February 2, 2009 - tags: php, security, hack, phpbb
Comments
Dominik Dröscher: The problem was that the fix came two weeks after the initial break-in and just a few hours before he sent out the mail. It was not a known security issue before that. Even if we had added the fix as soon as possible, it would have changed nothing. That doesn't change your point though. Keep your software up to date! Subscribe to mailing lists and always have someone available that can patch exploits quickly.
February 3, 2009
left: Hi Dominik,I was not pointing fingers, I just took the phpBB.com hack as a high-profile example of the point. Still too often I notice that people don't properly update/patch their open source software, causing problems.
February 3, 2009
Stefan Esser: If the vulnerability used to compromise was indeed the phplist _server overwrite vulnerability then the Suhosin extension would have stopped this attack.February 3, 2009
Rockeiro: And the point to this hacker's hack in the first place is..???? because I could???What I really want to know from people in the know (oboviously you know a lot more than me) is what is REALLY being done with the user data table? I heard it was posted PUBLICLY? Why would someone do that?? If it is publicly posted, then where is it posted??
February 4, 2009
Rockeiro: OK. FOund the original blog where the guy posted his trophy hack here:http://hackedphpbb.blogspot.com/
All the files may have been posted publicly at rapidshare but are no longer available. I'm sure they're underground by now in full circulation.
For a trophy hack, that was totally irresponsible to turn over a whole db to the internet underground like that. What an idiot. No sense of fair play what so ever. Remind me to post that picture I have of him diddling his sister.
February 4, 2009
dissertation help online: Thanks for giving us objective information, much appreciate this! May 11, 2011
custom writing: Seperate from that though, I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. buy essayJuly 8, 2011
Larah: Potential offshore wind resources in the United State is nearly 1000 GW. Popular descriptive essayOffshore wind development is another means in which can promote energy security for our country as well as planting the necessary jobs to put people back to work. Wind, solar, biofuels, nuclear, renewable and conventionals: all are part of a complete energy portfolio that America desperately needs!August 4, 2011
Popular descriptive essay: The reality is that our demands exceed our energy supply sources that we have at our disposal. We need to seriously consider going green building sheds in a massive scale or we will soon beAugust 4, 2011
custom writing paper: I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.August 17, 2011
hyip monitoring: phpBB used to be a trusted company, but now... I will rather use another platform.August 21, 2011
free dating sites: Most of the time, title is the first and primary focus of the viewers. If it is interesting to them, they will surely read the entire content.October 14, 2011
hrt before and after photos: I cannot believe that this happened. There needs to be a lot of changes with this for the future. I see no other options. October 28, 2011
orlando birth injury attorneys: There is so much that you can get from this. I use phpbb all the time for my sites. I just love it. November 3, 2011
web design London: I think the installation to the latest version and fix any vulnerabilities in the software is good thing.November 25, 2011
dentist in san antonio: It is one of the most impressive blog that I have ever read. It is really good to see such an amazing site online. I would say that there is no other site in the internet with so much of information.November 29, 2011
excel 2010 online classes: yeah of course I know that what we learn from yesterday will never be happen again.,December 6, 2011
makeup artist schools: Of course I do agree with the latter one and let's just do whatever it is right based from yesterday.December 6, 2011
furnace coupons: Learning is something on what we should be proud of. I guess this is so awesome., December 8, 2011
PMP: For me I guess looks so good and I learned something from it. Thanks much for that.December 11, 2011
uggs boots outlet store: There is so much valuable information that you can get from thisDecember 20, 2011
qqyszl: It is one of the most impressive blog that I have ever read. It is really good to see such an amazing site online. I would say that there is no other site in the internet with so much of information.December 23, 2011
retail industry: India retailing is a path-breaking interface portal. Addressed and directed towards the retailing community across the world, the portal provides a wide-angle view and analysis of the business of retail in India.December 26, 2011
new fashion news: Images fashion strives to provide a balance of timely, credible business news and key fashion trends.December 26, 2011
franchise in india: At images franchise you can learn on how to make the right franchise decision, how to identify the right franchise opportunity that can make you a successful business owner.
December 26, 2011
furniture phoenix: I enjoy a lot of good data. I really am impressed with your content and I feel I have learned something by reading this article
January 26, 2012
modern furniture phoenix az: I enjoy your site! Maybe you have a twitter or fb page? I’d like to hook up and focus on certain things. Thanks for all your work.
January 30, 2012
discount uggs boots: I am typically to running a blog and i really respect your content. The article has really peaks my interest. 
February 1, 2012
michael kors watches: this is a very nice photo you got in here. Can't wait to see more of this from you. February 2, 2012
IT Support Firswood: These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the postFebruary 3, 2012
Upcoming events
06-02-2012: D-Day 17-02-2012: Techademy Trainingday February 23-02-2012: Zend Webinar: Git for Subversion Users