[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29229
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty » Sat Jan 27, 2018 2:56 am

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Sat Jan 27, 2018 4:11 am

Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29229
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty » Sat Jan 27, 2018 4:31 am

John connor wrote:
Sat Jan 27, 2018 4:11 am
Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.
The website itself wasn't affected in any way, so the hashes were not altered. Anyone who verified the hash would have known, but realistically very few people do.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Sat Jan 27, 2018 8:31 am

Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.

TJK
Registered User
Posts: 71
Joined: Sat Dec 26, 2015 9:10 pm
Name: Tolaso J Kos
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by TJK » Sat Jan 27, 2018 1:16 pm

Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)
LaTeX Greek community
Proper usage of LaTeX creates beautiful ( scientific ) documents

ucv92
Registered User
Posts: 21
Joined: Fri Jan 12, 2018 3:39 pm
Location: CHINA
Name: Andrei
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ucv92 » Sat Jan 27, 2018 6:29 pm

TJK wrote:
Sat Jan 27, 2018 1:16 pm
Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)
For access to your forum + many more.
Free Ads (Forums, Sites, Shooters Servers, MMORPG Online) - www.reclamagratis.eu
RGOblog - www.reclamagratis.eu/blog
MxHost (Web Hosting) - Mxhost.ro

jstMusa
Registered User
Posts: 40
Joined: Tue Feb 25, 2014 1:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by jstMusa » Mon Jan 29, 2018 4:59 pm

John connor wrote:
Sat Jan 27, 2018 8:31 am
Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
I'm sorry John, can you share/recommend some good "file verification software"?

~Sentinel~
Registered User
Posts: 249
Joined: Tue Jun 03, 2003 3:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ~Sentinel~ » Tue Jan 30, 2018 7:26 pm

This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?

User avatar
Froddelaar
Registered User
Posts: 895
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Froddelaar » Tue Jan 30, 2018 7:43 pm

~Sentinel~ wrote:
Tue Jan 30, 2018 7:26 pm
This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?
Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
If you believe that you have a malicious package, please email it to security@phpbb.com so that we can check it against the version we obtained. We will likewise let you know if it is affected.
If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code. https://tracker.phpbb.com/projects/INCIDENT/
Wij promoten UW muziek in ons forum & delen alles via Sociale media!
Muziek wordt ook toegevoegd in de playlist van
textradio.be!
Mail uw single + hoesje + info naar: info@muziekpromo.net of Solidjeuh@textradio.be
===============
Onze Website: https://www.muziekpromo.net

User avatar
3Di
Registered User
Posts: 12749
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 3Di » Tue Jan 30, 2018 7:57 pm

https://www.phpbb.com/community/viewtopic.php?f=14&t=2456896 wrote: Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
I am sure the following question raised for a lot of us..

How did happen those links were compromised then?
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2724
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by thecoalman » Tue Jan 30, 2018 9:38 pm

It's an ongoing investigation 3Di and no details will be released until it's completed.

~Sentinel~
Registered User
Posts: 249
Joined: Tue Jun 03, 2003 3:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ~Sentinel~ » Tue Jan 30, 2018 10:22 pm

Froddelaar wrote:
Tue Jan 30, 2018 7:43 pm
Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
Yes but, assuming that a person did download during that time frame but has since deleted the original file so can't check the hash of the file. The reason that I ask is because this seems to me to be a rather complete way of making sure that you are OK so my first thought is that this can't be a good answer because so far nothing I see says that this is a way to make sure that you fix the problem. So is the reason that I am not seeing this being discussed as a possible solution that it is very difficult to do for some users of large boards or is it that it will not necessarily fix the problem completely? Because I have a small personal simplistic board and if this would indeed fix everything 100% guaranteed then I can do this. But if it will not fix anything then I won't waste my time.

User avatar
3Di
Registered User
Posts: 12749
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 3Di » Tue Jan 30, 2018 11:56 pm

thecoalman wrote:
Tue Jan 30, 2018 9:38 pm
It's an ongoing investigation 3Di and no details will be released until it's completed.
We all are aware of that, already.

The question points to
we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us.... snip .. The point of entry was a third-party site. Neither phpBB.com nor .... snip
Well, since the links are posted at .com, I do (the whole web does I guess) believe there is at least a discrepance on what has been stated.
It doesn't really matter when we all we will know about that, that's just a mistery which deserves an explaination, IMHO.

In order to modify URLs posted on here you need access, right or wrong.
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1737
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by kinerity » Wed Jan 31, 2018 1:04 am

As Yuriy stated, the point of entry was a third-party site, so phpBB.com and the phpBB software itself were not exploited. As the investigation is still ongoing, more details will be provided when they become available.
Kailey Truscott - Community Team

User avatar
AmigoJack
Registered User
Posts: 5261
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by AmigoJack » Wed Jan 31, 2018 8:04 am

Marshalrusty wrote: a third-party site
kinerity wrote:
Wed Jan 31, 2018 1:04 am
a third-party site
Which one and how? Downloads are primarily from this websites, or is there a reason why SourceForge is not named?
The worst thing about censorship is ███████████

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: Mathieu M. and 23 guests