For those who aren't aware, phpBB 2.0.10 and earlier has a VERY SERIOUS security hole where people can gain admin status by loading a single specially-crafted URL -- it's very easy. The user can also execute whatever PHP code they like including executing programs, and probably reading your config.php to find database username and password.

I had someone gain access on Thursday and read through the private forums. It was someone I know who I've talked to since. Thankfully it alerted me to the problem. Even though I had already patched to version 2.0.11 I think I must have somehow missed viewtopic.php -- I may have restored that file from a pre-upgrade backup. Seven different IPs have tried the same exploit since that event and they may have been much more malicious. Some other forums on the net feature members bragging about forums they hacked where they deleted all threads except one to say they hacked it.

UPGRADE ASAP! Go here...
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

Hackers could deface/delete your entire website without too much work if you're using a phpBB version prior to 2.0.11.

< Simon >

test

Originally posted by Simon
For those who aren't aware, phpBB 2.0.10 and earlier has a VERY SERIOUS security hole where people can gain admin status by loading a single specially-crafted URL -- it's very easy. The user can also execute whatever PHP code they like including executing programs, and probably reading your config.php to find database username and password.

I had someone gain access on Thursday and read through the private forums. It was someone I know who I've talked to since. Thankfully it alerted me to the problem. Even though I had already patched to version 2.0.11 I think I must have somehow missed viewtopic.php -- I may have restored that file from a pre-upgrade backup. Seven different IPs have tried the same exploit since that event and they may have been much more malicious. Some other forums on the net feature members bragging about forums they hacked where they deleted all threads except one to say they hacked it.

UPGRADE ASAP! Go here...
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

Hackers could deface/delete your entire website without too much work if you're using a phpBB version prior to 2.0.11.

If you haven't already upgraded to version 2.0.11, you'd better hurry up and do it, cause time has run out! There is a new worm on the internet, looking for older versions of phpbb forums. When one is found, it is defacing not only the forum, but the entire website.

Read here for more info:
http://www.kaspersky.com/news?id=156681162

I had upgraded all but 1 of mine a couple of weeks ago. I just got the last one upgraded to version 2.0.11 a few minutes ago.

Edit: Removed link to defaced site. It's back up and working now, but the forum was still showing a "critical error" message when I checked it.

I hadn't heard about the worm, so thanks for the heads-up.

I've also since removed the phpBB version number from the bottom of pages because that's one way people can find exploitable sites.

< Simon >

For those that have customizations and are afraid of losing them in an upgrade, there is a specific fix for this hole:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

All of the attacks on phpBB and PHPNuke (which has phpBB as it's forum software) has driven me from both......it's kind of like why I wont use Norton or McAfee for my anti-virus software. It's because the software with the most users is the software most open to attack or "disabling" prior to an attack. I prefer to enjoy my software, not have to be on top of security issues on a weekly basis just hoping that someone isn't going to break in and destroy all I have worked to keep running.

So check out the "new" PCToolbin's forum software: http://pctoolbin.com

Originally posted by Brother Erryn
For those that have customizations and are afraid of losing them in an upgrade, there is a specific fix for this hole:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

Thanks for this! I help administer a phpBB forum already using 2.0.11, but will keep this in mind.....

Looks like phpBB has had some more problems - http://www.phpbb.com/:


Last updated: 9th February 2005, 12:22 GMT

Hi everyone,

A further update and reminder as to the situation with this site. Our system was compromised Sunday evening by a group of hackers/crackers who (based on available information apparently corroborated by said hackers/crackers) used an exploit in awstats to gain entry. I'll repeat this very clearly since some people and worse some hosting providers are not listening to what is being said. Based on said information we do not believe, nor do we have any reason to believe, that our system was compromised due to any fault in phpBB 2.0.11.

Server update, unfortunately the datacenter where our box is located have been less than helpful. The box was supposed to have been shipped Monday, it wasn't. With further pushing we were told it would definitely ship yesterday (Tuesday), it didn't. The box is now being collected "manually". Very unimpressive service quite frankly. Because of this we are now working to an altered plan which may see the site return tomorrow (Thursday 9th) or Friday (10th). Please note that we will not be able to comment on the method used to exploit our site for at least several days.

It is actually quite fustrating at present that some hosting providers are asking or forcing their customers to remove installs of phpBB 2.0.11 due to the loss of phpbb.com. As I say above, our best available information right now is that phpBB was not to blame. If a hosting provider knows different perhaps they can inform us (along with details of how they know!).

Equally it's annoying to see some people posting the same old highlighting exploit claiming their 2.0.11 board was hacked via it. Again unless my team and indeed our other teams, heck large sections of our community, are all lying to me that vulnerability was fixed in 2.0.11. Sites running .11 and claiming (or thier hosts claiming) to have been attacked using it should take a close look at other applications they have installed. phpBB is not alone in being exploited, all the major boards can be if you don't update as new releases are made. Equally users should ensure the relevant highlighting fix is indeed present. Over the years we've dealt with thousands of users who say they've patched something (be it an exploit or bug) but upon examination we've discovered the problem code is still there. Equally hosts should look at their own systems. Are you running awstats if so have you updated? Do you regularly update your OS and particularly the kernel (if appropriate) as fixes are released? Are your users running old versions of other PHP/Perl/etc. software? Have you set appropriate permissions on key folders such as /tmp and /var/tmp? Is your webserver running with as few permissions as possible? Just because we overlooked something doesn't mean you should!

To our community, please do not ask us for further updates as to the situation, its cause, etc. Everything we have to say is said here. Our support channel (#phpbb) on IRC has at times been swamped with "What happened? Any news?" style questions which are making it extremely difficult to support users with real issues. So we appreciate the interest but please, accept that we have nothing else to add.

Users in need of support with phpBB 2.0.x can visit our development board, area51.phpbb.com where such support is being offered at this time. Of course you can also view the next version of phpBB, 3.0 "Olympus" in the process (minus the new style of course!). We are also maintaining our IRC support channel, #phpbb on the irc.freenode.net network

Again we apologise for any problems this may cause our userbase. We obviously take the huge support our community gives phpBB very seriously. And we will do our best to return to "normal operations" just as soon as we can.

psoTFX - phpBB Group

Yeah, saw that a couple of days ago... Really unfortunate. I guess as phpBB grows in popularity, it will become the target for more and more attacks.

Thankfully what brought them down doesn't seem to be phpBB related - some other hole somewhere.

< Simon >

IH seems to still be using AwStats 6.2 which is vulnerable to the exploit that got phpBB hacked. I assume that AwStats is only available via CPanel and so requires login (which means anonymous users shouldn't be able to make use of it). Can someone confirm this?

< Simon >

As a test, I just tried accessing the URL for my AWSTATS directly, not through Cpanel. I was immediately prompted for my username and password and the page would not display until I logged in.

We still need to have the AWSTATS upgraded to version 6.3 though - better to be safe than sorry. All you have to do is look at what happened to phpbb.com. :(

So.......can IH simply upgrade the AWStats program themselves, or.....since it's integrated into CPanel, do they have to wait for the WHM/CPanel people to get off their tushes and upgrade it?!?!