Major security problem with phpBB ?!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Elmer Fudd
Registered User
Posts: 4
Joined: Thu Mar 27, 2008 8:28 pm

Major security problem with phpBB ?!

Post by Elmer Fudd » Tue May 13, 2008 5:01 am

Anyone have any info on this?

http://www.computerworld.com/action/art ... Id=9084991

Hackers hijack a half-million sites in latest attack
Gregg Keizer

Click here to find out more!

May 12, 2008 (Computerworld) More than half a million Web sites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users' PCs with a variety of malware, a security researcher said today.

"This is an ongoing campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect at antivirus vendor Trend Micro Inc. "The domains are changing constantly."

According to Ferguson, over half a million legitimate Web sites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB," an open-source message forum manager.

Ferguson didn't know how the sites were compromised; Trend Micro's investigation is in progress, he said. "We're not sure if it's [because of] improper configuration of phpBB or a vulnerability. Open-source applications like phpBB tend to be targeted quite a bit."

Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached; that server then pings the PC for any one of several vulnerabilities, including bugs in both Microsoft's Internet Explorer and RealNetworks' RealPlayer media player. If any of the vulnerabilities is present, the PC is exploited and malware is downloaded to it.

Some of the compromised sites have been hijacked before, said Ferguson. "Some had recently been used for keyword search ranking manipulation, and others to pitch fake pharmaceuticals or just malware," he said.

Although other research by Trend Micro identified the malware hitting users' PCs as a variant of the Zlob Trojan horse, Ferguson said that more than just one piece of malware is being served. "We seeing some new stuff coming out of this one," he said.

The last massive site attack was less than three weeks ago, when sites that included government URLs in the U.K. and some domains operated by the United Nations were hacked. At the time, some researchers said that bugs in Microsoft's SQL Server or Internet Information Services server software were to blame. A few days later, however, Microsoft denied responsibility.

Don't expect the run of site infections to stop anytime soon, said Trend Micro's Ferguson. "As long as attacks are tied to site development and as long as sites don't secure their content, we'll see these attacks," he said.

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Re: Major security problem with phpBB ?!

Post by karlsemple » Tue May 13, 2008 5:48 am

Nope, no security problem with phpBB. Not all of the sites were running phpBB for starters so that article is somewhat inaccurate. Secondly phpBB was not the point of entry, but phpBB was the best method for the attacker to distribute their malware to the most amount of users and thus once the attacker compromised a server they tended to target popular community applications on the server. Most importantly I guess is the fact is that the only instances we actually came across were all running outdated copies of phpBB 2 :)
Image

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29253
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Major security problem with phpBB ?!

Post by Marshalrusty » Tue May 13, 2008 6:37 am

The problem with articles such as this is that they aim to rile the public, instead of providing information (as it would seem). The headline says:
They're exploiting phpBB open-source forum software, says researcher
That states, quite clearly, that it is phpBB that's being exploited. You would think that they would have some sort of evidence before making such a claim, but upon reading the article you get to:
Ferguson didn't know how the sites were compromised; Trend Micro's investigation is in progress, he said. "We're not sure if it's [because of] improper configuration of phpBB or a vulnerability. Open-source applications like phpBB tend to be targeted quite a bit."
So wait a minute. The article says that they don't know what's going on, but the headline says phpBB is being exploited. Both statements cannot possibly be true. What the article should say is: "We haven't bothered to look into what is actually being exploited, but we're going to make some accusations based on uneducated speculation until someone else figures out what's going on. In the mean time, we suggest you PANIC!"

As Karl said, the malicious code is certainly being added to phpBB pages, but there is nothing whatsoever to point that this is being done through the phpBB software itself. While it's regrettable that phpBB communities are being exploited in such a way, we of course have no way to prevent attacks not made through the software (and we have not received any reports to the contrary to this point).

Furthermore, the article falsely claims that "all of the sites are using phpBB", which is incorrect. They also do not specify a version (or even differentiate between phpBB2 and 3). The numbers being reported are also greatly inflated, as they are likely taken directly from a Google search for some string that appears in the exploit.

All that adds up to this being nothing more than yellow journalism.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

Elmer Fudd
Registered User
Posts: 4
Joined: Thu Mar 27, 2008 8:28 pm

Re: Major security problem with phpBB ?!

Post by Elmer Fudd » Tue May 13, 2008 7:20 am

Thanks for the critiques of the article. It did seem a little broad. And I was puzzled by the lack of discussion here if indeed it was a major problem.

Can you comment on the security vulnerability in php the second commenter discussed? I am new to this in the last few months (web site design, security, forums, et al.). I have coded my own web site (www.prudentnews.com) and added a phpBB forum, but the finer points of site security escape me. His comment is over my head. I tried to find the variable in phpMyAdmin he mentioned but could not.

Thanks!

"SQL injection cannot do what these attacks were after. From what I saw in the previous attack round they are exploiting IE to infect PC's with trojans, installing phishing sites to collect passwords from banks and online payment services and use servers for spam delivery. I found out they used remote script inclusion "feature" in PHP which my hosting provider did enable for whatever incompetent reason. My site was affected by the previous round about a month ago and while I'm a developer I had some trouble tracking what happened. Today just found another site and warned them. Ahh yes and I do use phpBB. And I found out phpBB is extremely badly coded too!"

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29253
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Major security problem with phpBB ?!

Post by Marshalrusty » Tue May 13, 2008 7:32 am

That user has less of a clue than the author of the article :P

PHP, like any other software, certainly has vulnerabilities. Because it is an opensource product, vulnerabilities become known to the public as soon as they are patched, which makes it all that much more important to stay up to date with their releases. That said, I have not seen any reason to think that the exploit being discussed here has to do with a vulnerability in php. Until we, or another organisation, have enough information to attribute the exploit to a specific vulnerability in a specific software, anything said is pure speculation. Always question sources!

With regards to phpBB, we have an incident tracker on this site where users of compromised boards can work together with phpBB team members to identify and patch exploited phpBB boards. Additionally, a security tracker is available for users to report identified vulnerabilities. If a critical issue is found, an update is released and an announcement is made stating that an issue was found, as quickly as is possible. Despite the fact that there haven't been any critical vulnerabilities in phpBB in years, we respond to all reports very seriously and do everything within our power to make sure that nothing is missed.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: Major security problem with phpBB ?!

Post by ToonArmy » Tue May 13, 2008 12:05 pm

Unless you are using outdated software (phpBB or otherwise) there should be nothing to worry about. The link to phpBB seems unsubstantiated, some popular web software with misappropriated reputation for being horribly insecure and the media goes into overdrive.
Chris SmithGitHub

arod-1
Registered User
Posts: 1327
Joined: Mon Sep 20, 2004 1:33 pm

Re: Major security problem with phpBB ?!

Post by arod-1 » Tue May 13, 2008 6:21 pm

Marshalrusty wrote:So wait a minute. The article says that they don't know what's going on, but the headline says phpBB is being exploited. Both statements cannot possibly be true. What the article should say is: "We haven't bothered to look into what is actually being exploited, but we're going to make some accusations based on uneducated speculation until someone else figures out what's going on. In the mean time, we suggest you PANIC!"
excuse me for saying it here, but that's just bull.

of course it is possible to know that there is a correlation between the list of affected sites and phpbb.
the fact that the person who wrote the article doesn't know or understand the nature of the exploit does not mean that a connection between phpbb and an exploit can't be ascertained.

in the past (specifically around 2.0.6, 2.0.10/11/12/13), phpbb was afflicted by exploits. although the developers were relatively quick to respond, they also reacted in mass denial, which did not contribute anything to phpbb reputation.

i believe those who say that the developers are seriously looking into the situation.
however, reactions like the above are more suitable to fanboys, and IMO should not come from team members.

until you actually *sure* that these attack(s) have nothing to do with phpbb, you should not criticize those who report the problem, and you definitely should not use expressions like "yellow journalism".

i do not have any specific knowledge of the facts, but it seems that a major attack is going on, that it is a very sophisticated attack, exploiting vulnerabilities in several software packages to create a multi-staged (or multi-tiered) attack where the final targets are end-user pcs, and that there is very strong evidence to suggest that phpbb is used as one of the vectors in this attack.

i agree that it was nicer if the article would identify the exact versions of all the software packages containing vulnerabilities that are exploited here.
probably these facts were not known to the person who wrote the article. suggesting that they should not write it "until they have all the facts" is plain stupid.

you call the accusations "uneducated". however, it doesn't seem that you know more about what's going on than what you read in this article. what does this say about your response?

to summarize: i think you should adjust your attitude to a little bit more PANIC and a little bit less smugness.

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Major security problem with phpBB ?!

Post by Kellanved » Tue May 13, 2008 6:48 pm

We are aware of the issue and are looking into it. Despite the high number, we are not seeing an impact on the Incidents Tracker. Moreover, we were so far unable to get our hands on a logfile or other forensic information indicating the vector used.

We are looking into the code, but unless we find the exact vector behind this, there is little worthwhile we can do. And panic is precisely the thing we won't do.

If you have substantial information and/or log files related to the issue, then please share them at once. If you have only the 2nd hands reports that started circulating in March, then please help us tracking it down instead of finger pointing and fearmongering.

Moreover, there is not a single 3.0 affected.
Nocando is in Idontwanna county. No support via PM

Locked

Return to “2.0.x Discussion”