[Security] phpBB 3.2.2 Packages Compromised

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Ideas Centre
Post Reply
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29229
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

[Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty » Sat Jan 27, 2018 2:57 am

Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.

If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload.

During the course of our investigation, we were able to take steps that should render the malicious code completely inoperable. However, in the unlikely event that multiple versions of the packages exist or that something was missed, we are choosing to leave nothing to chance.

As the packages were live for only three hours, we believe that a very small number of users are affected. We therefore ask that you perform the following steps so that we may render personalized assistance:
  1. If you believe that you have a malicious package, please email it to security@phpbb.com so that we can check it against the version we obtained. We will likewise let you know if it is affected. You may also use the SHA256 checksum found on the downloads page to verify its validity. Do not use the potentially affected package.
  2. If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code.
  3. The downloads currently available on the downloads page are safe. If you have any doubts whatsoever, download a fresh copy.

Our investigation is ongoing and we will provide additional information as it becomes available.


Thank you,

The phpBB Team

-----

You may discuss this announcement in it discussion topic.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29229
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty » Sat Jan 27, 2018 10:55 pm

Hello everyone,

We are continuing our investigation, but are ready to provide some additional information to keep you informed.

The modified packages we obtained contain a section of malicious code that attempts to load JavaScript from a remote source. At this time, we are in control of the domain names that would be hosting that JavaScript, rendering the code harmless.

We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500.

Further information will follow as it becomes available.

Thank you,

The phpBB Team
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29229
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty » Fri Feb 16, 2018 3:52 pm

Greetings,

At this time, we have further information to supplement the preliminary reports above.

Following our initial discovery of the altered download links, we traced the origin of the redirect back to our DNS configuration. phpBB.com utilizes Cloudflare's DNS platform, and we immediately notified them of the compromise. We likewise initiated security protocols, which included changing credentials and verifying the integrity of all other systems.

Meanwhile, Cloudflare were exceedingly responsive, conducting a detailed investigation on their end and working with members of our team. What we know is that a malicious actor was able to successfully issue commands to our Cloudflare account via the API, utilizing our unique API key to create a page rule to redirect the links for two specific download packages. phpBB.com has never utilized the Cloudflare API and does not have the API key stored on our servers. Cloudflare thoroughly investigated the issue and is confident that security around their API key system has not been compromised.

We continue to be on heightened alert and will provide additional updates if new information becomes available. Cloudflare has been kind enough to upgrade the tier of our account so that we may utilize additional security features going forward.

Thank you,

The phpBB Team
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

Post Reply

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 13 guests