[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc »

We will post an update with more details once the third-party site has finished its investigation.
Please refrain from trying to guess any involved parties or trying to draw conclusions.
Our detailed investigation has confirmed what has been stated in the announcement.
User avatar
Boardtalk.net
Registered User
Posts: 1243
Joined: Fri Jun 05, 2009 8:12 pm
Location: Ireland
Name: Colette
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Boardtalk.net »

That's a little unnerving to say the least.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

jstMusa wrote: Mon Jan 29, 2018 4:59 pm
John connor wrote: Sat Jan 27, 2018 8:31 am Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
I'm sorry John, can you share/recommend some good "file verification software"?
Use HashCalc. http://www.slavasoft.com/hashcalc/

All you do is point HashCalc to the download and it will give you the hashes. I just look at the first four characters and last four characters for verification.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
jstMusa
Registered User
Posts: 40
Joined: Tue Feb 25, 2014 1:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by jstMusa »

John connor wrote: Tue Feb 06, 2018 1:32 pm
jstMusa wrote: Mon Jan 29, 2018 4:59 pm

I'm sorry John, can you share/recommend some good "file verification software"?
Use HashCalc. http://www.slavasoft.com/hashcalc/

All you do is point HashCalc to the download and it will give you the hashes. I just look at the first four characters and last four characters for verification.
Thanks man. I will try it.
User avatar
Sajaki
Registered User
Posts: 1390
Joined: Mon Mar 02, 2009 1:41 pm
Location: Amsterdam
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Sajaki »

try openssl sha -sha256 <file>
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

Sajaki wrote: Thu Feb 08, 2018 2:05 pm try openssl sha -sha256 <file>
That's just all dorkafied when you can just run a simple small program.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by david63 »

In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
RMcGirr83
Former Team Member
Posts: 22016
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by RMcGirr83 »

david63 wrote: Fri Feb 16, 2018 7:02 pm In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
:+1:
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beer Image
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

david63 wrote: Fri Feb 16, 2018 7:02 pm In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
What does CloudFlare have anything to do with this? I have been running CloudFlare from the first time I installed phpBB and have had no issues once so ever. You just have to know how to use it. If you don't you will have a bad experience. Plus, you always have to remember there are two caches instead of one.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by david63 »

John connor wrote: Sat Feb 17, 2018 2:03 am What does CloudFlare have anything to do with this?
Everything. Have you read the latest update? - if not I suggest you do and then maybe you will reassess the use of Cloudflare
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

Okay, I see it here: viewtopic.php?f=14&t=2456896

It sounds like the account was hacked as no one should be able to get into your account without the password. I for one have 2FA on CloudFlare and my DNS provider. I also use DNSSEC.

CloudFlare can help mitigate many attacks. Especially if your origin server IP is never known and all IPs are blocked except CloudFlare's. This forces a so-called hacker to jump through a CloudFlare IP.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc »

API access with an API key does not require a login to the Cloudflare account, 2FA has no effect on that either. There was no login to our account.
DNSSEC wouldn't have changed anything as the DNS info was not forged or manipulated but rather just modified.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

How in the world did he get the API key?
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26505
Joined: Fri Aug 29, 2008 9:49 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Mick »

Has anyone (non-team) spoken to Cloudflare about this?
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
Post Reply

Return to “phpBB Discussion”