[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

I'd sure like to know how this is happening so that I can mitigate it.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26514
Joined: Fri Aug 29, 2008 9:49 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Mick »

Speak to them.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
marktwain
Registered User
Posts: 1
Joined: Tue Feb 20, 2018 1:18 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by marktwain »

I've used phpbb for a while, and want to thank the developers for their dedication and the high quality of their work. I know, there is that "Thank you, thank you, thank you!" topic but I figure it may not hurt to mention when I think of this.

I narrowly missed the downloading of this malicious file, so hope all the loopholes are fixed. The update notice caught my attention, which reads:
phpBB.com has never utilized the Cloudflare API and does not have the API key stored on our servers. Cloudflare thoroughly investigated the issue and is confident that security around their API key system has not been compromised.
I feel natural to think:

Since there is no wide spread report of people's Cloueflare APIs being misused, it's most likely that phpBB.com's Cloudflare API key was stolen.

Then did you check who have ever got chance to possess that key or the password (since it can be used to generate key)? Are their computers safe? Ie, are they updated with system patches and antivirus definitition, and most importantly, not hacked? Do some of them need to re-image their computer?

Since people do not really put their API keys to the server, so I thought the notice above may be better assuring if it says something like:
All computers that have ever possessed phpBB.com's Cloudflare API key or password are now confirmed to be safe.
This is because, sound security is layered. If we solely rely on the additional security measures provided by Cloudflare yet keep a hacked laptop with that key, then the hacker only need to break that new layer to repeat their attack.

What do you think? I know this post is moderated, you do not have to publish this post if you don't feel like, but I hope you will at least circulate around the relevant phpbb developers and take necessary steps.

Again, thanks for your hard work!
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc »

As we mentioned in the announcement and the follow-ups, we've taken an extensive amount of time to investigate and try to track how this was possible. Neither Cloudflare nor we were able to find out how the attacker was able to acquire the API key. The very limited number of team members that had access to our Cloudflare account have, to their knowledge and based on what we were able to track since the creation of our Cloudflare account, never stored the API key anywhere. Of course we also checked for potential signs of intrusions on their machines but were not able to find any traces pointing in that direction.
I'd also like to point out again that there was no login to our account and there is no log of the API key ever being accessed since Cloudflare started logging this.
The API key that was used is no longer active and we have taken the necessary measures to ensure the safety of our Cloudflare account.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

If team members run Win 10, therein lies the problem. LOL


For the hell of it, check out Stream Armor. Maybe some kind of malware snatched the API key.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
warmweer
Jr. Extension Validator
Posts: 11236
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by warmweer »

John connor wrote: Tue Feb 20, 2018 9:49 am If team members run Win 10, therein lies the problem. LOL
...
Are you implying I should go back to Vista? :lol:
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

warmweer wrote: Tue Feb 20, 2018 9:54 am
John connor wrote: Tue Feb 20, 2018 9:49 am If team members run Win 10, therein lies the problem. LOL
...
Are you implying I should go back to Vista? :lol:

HAHA No... Use what ever floats your boat. I'm using 7, and will continue to do so for a long as I have my new computer build. I figure by the time I build a new computer some 7-10 years from now and I do go with 10, I install a hardware-based firewall and block all of M$'s ASNs. I don't use updates right now as it is. No, I don't have malware and all that crap. You can update till your little hearts content and that still won't prevent you from having malware. Especially polymorphic malware. I feel like this so-called threat of not updating means you'll get hacked and get malware is a fallacy. I run a pretty tight ship. Part of that involves sandboxie for my applications and Shade Sandbox. I haven't used updates since I ran Win 98se in 20004.


The only reason why I mention 10 as being a problem is that it has a built-in keylogger among other dumb crap. But I digress. I wonder if a team member had malware or you have someone that went rouge.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Kailey
Community Team Leader
Community Team Leader
Posts: 3734
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Snay
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Kailey »

Everyone, please keep the discussion to the topic at hand.
Kailey Snay - Community Team Leader
Knowledge Base | Documentation | Community rules

If you have any questions about the rules/customs of this website, feel free to send me a PM.
User avatar
dingus33
Registered User
Posts: 136
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 »

could someone please give some information about which file(s) in the packages were compromised?
i can't remember exactly when i downloaded it, and i no longer have the zip.
it would be nice to be able to inspect a file or two and look for the offending code just for sanity's sake.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by canonknipser »

Just download a fresh copy and compare both packages with a compare program like windiff or similar - you can compare complete folders in one run.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
dingus33
Registered User
Posts: 136
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 »

good suggestion, but i think potentially not as straightforward as having some small details about the payload.
at least a short string suitable for identification purposes would be nice to have. i don't see the harm in it.

consider the case of someone who is not super familiar with the workings of phpbb. what files should be present, what files might be generated by an extension, etc.
if a board is not running a vanilla phpbb (i.e. there is other junk added), it might time consuming to assess an 'extra' (not present in the legit phpbb package) file with some obfuscated/minified code.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by canonknipser »

dingus33 wrote: Thu Feb 22, 2018 6:20 am consider the case of someone who is not super familiar with the workings of phpbb. what files should be present, what files might be generated by an extension, etc.
if a board is not running a vanilla phpbb (i.e. there is other junk added), it might time consuming to assess an 'extra' (not present in the legit phpbb package) file with some obfuscated/minified code.
So, you don't have a local copy of all those files you pushed to the server?
The files are as essential as the database, you should have backups of both of them!

A short overview about changed and extra files:
Code changes to phpbb are not recommended any longer, and if you use them, they should be well documented for your installation, so if there are any changed files, you should have a careful look.

Extension files go in the ext-folder, which only contains a phpbb/viglink/ folder on a vanilla installation. Every extension has its own sub-folder (form vendorname/extensionname).
Files generates by a extension should go regularly in a sub-folder of store

Style files go in a sub-folder of styles, with prosilver as phpBBs default

Uploaded attachments go into files-folder (unless otherwise configured in acp)

And last, but nor least the image-folder with its subfolders. It contains smilies, uploaded avatars and other images.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
dingus33
Registered User
Posts: 136
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 »

canonknipser wrote: Thu Feb 22, 2018 8:49 am
dingus33 wrote: Thu Feb 22, 2018 6:20 am consider the case of someone...
So, you don't have a local copy of all those files you pushed to the server?
The files are as essential as the database, you should have backups of both of them!
that is just a hypothetical person, not me.
i was just explaining why i thought it could only be a good thing to share at least partial info on the payload (enough for ID purposes).

also, that is a good overview. thank you
Post Reply

Return to “phpBB Discussion”