Page 1 of 1

[Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 2:57 am
by Marshalrusty
Earlier today, we identified that the download URLs for two phpBB packages available on were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither nor the phpBB software were exploited in this attack.

If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload.

During the course of our investigation, we were able to take steps that should render the malicious code completely inoperable. However, in the unlikely event that multiple versions of the packages exist or that something was missed, we are choosing to leave nothing to chance.

As the packages were live for only three hours, we believe that a very small number of users are affected. We therefore ask that you perform the following steps so that we may render personalized assistance:
  1. If you believe that you have a malicious package, please email it to so that we can check it against the version we obtained. We will likewise let you know if it is affected. You may also use the SHA256 checksum found on the downloads page to verify its validity. Do not use the potentially affected package.
  2. If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code.
  3. The downloads currently available on the downloads page are safe. If you have any doubts whatsoever, download a fresh copy.

Our investigation is ongoing and we will provide additional information as it becomes available.

Thank you,

The phpBB Team


You may discuss this announcement in it discussion topic.

Re: [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 10:55 pm
by Marshalrusty
Hello everyone,

We are continuing our investigation, but are ready to provide some additional information to keep you informed.

The modified packages we obtained contain a section of malicious code that attempts to load JavaScript from a remote source. At this time, we are in control of the domain names that would be hosting that JavaScript, rendering the code harmless.

We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500.

Further information will follow as it becomes available.

Thank you,

The phpBB Team

Re: [Security] phpBB 3.2.2 Packages Compromised

Posted: Fri Feb 16, 2018 3:52 pm
by Marshalrusty

At this time, we have further information to supplement the preliminary reports above.

Following our initial discovery of the altered download links, we traced the origin of the redirect back to our DNS configuration. utilizes Cloudflare's DNS platform, and we immediately notified them of the compromise. We likewise initiated security protocols, which included changing credentials and verifying the integrity of all other systems.

Meanwhile, Cloudflare were exceedingly responsive, conducting a detailed investigation on their end and working with members of our team. What we know is that a malicious actor was able to successfully issue commands to our Cloudflare account via the API, utilizing our unique API key to create a page rule to redirect the links for two specific download packages. has never utilized the Cloudflare API and does not have the API key stored on our servers. Cloudflare thoroughly investigated the issue and is confident that security around their API key system has not been compromised.

We continue to be on heightened alert and will provide additional updates if new information becomes available. Cloudflare has been kind enough to upgrade the tier of our account so that we may utilize additional security features going forward.

Thank you,

The phpBB Team