[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
John connor
Registered User
Posts: 1579
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Mon Feb 19, 2018 5:40 pm

I'd sure like to know how this is happening so that I can mitigate it.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19342
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Mick » Mon Feb 19, 2018 9:06 pm

Speak to them.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

marktwain
Registered User
Posts: 1
Joined: Tue Feb 20, 2018 1:18 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by marktwain » Tue Feb 20, 2018 1:42 am

I've used phpbb for a while, and want to thank the developers for their dedication and the high quality of their work. I know, there is that "Thank you, thank you, thank you!" topic but I figure it may not hurt to mention when I think of this.

I narrowly missed the downloading of this malicious file, so hope all the loopholes are fixed. The update notice caught my attention, which reads:
phpBB.com has never utilized the Cloudflare API and does not have the API key stored on our servers. Cloudflare thoroughly investigated the issue and is confident that security around their API key system has not been compromised.
I feel natural to think:

Since there is no wide spread report of people's Cloueflare APIs being misused, it's most likely that phpBB.com's Cloudflare API key was stolen.

Then did you check who have ever got chance to possess that key or the password (since it can be used to generate key)? Are their computers safe? Ie, are they updated with system patches and antivirus definitition, and most importantly, not hacked? Do some of them need to re-image their computer?

Since people do not really put their API keys to the server, so I thought the notice above may be better assuring if it says something like:
All computers that have ever possessed phpBB.com's Cloudflare API key or password are now confirmed to be safe.
This is because, sound security is layered. If we solely rely on the additional security measures provided by Cloudflare yet keep a hacked laptop with that key, then the hacker only need to break that new layer to repeat their attack.

What do you think? I know this post is moderated, you do not have to publish this post if you don't feel like, but I hope you will at least circulate around the relevant phpbb developers and take necessary steps.

Again, thanks for your hard work!

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5290
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc » Tue Feb 20, 2018 7:13 am

As we mentioned in the announcement and the follow-ups, we've taken an extensive amount of time to investigate and try to track how this was possible. Neither Cloudflare nor we were able to find out how the attacker was able to acquire the API key. The very limited number of team members that had access to our Cloudflare account have, to their knowledge and based on what we were able to track since the creation of our Cloudflare account, never stored the API key anywhere. Of course we also checked for potential signs of intrusions on their machines but were not able to find any traces pointing in that direction.
I'd also like to point out again that there was no login to our account and there is no log of the API key ever being accessed since Cloudflare started logging this.
The API key that was used is no longer active and we have taken the necessary measures to ensure the safety of our Cloudflare account.
Quickedit for phpBB 3.1
I'm available for custom work - just send me a PM for a quote.

User avatar
John connor
Registered User
Posts: 1579
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Tue Feb 20, 2018 9:49 am

If team members run Win 10, therein lies the problem. LOL


For the hell of it, check out Stream Armor. Maybe some kind of malware snatched the API key.

User avatar
warmweer
Registered User
Posts: 971
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by warmweer » Tue Feb 20, 2018 9:54 am

John connor wrote:
Tue Feb 20, 2018 9:49 am
If team members run Win 10, therein lies the problem. LOL
...
Are you implying I should go back to Vista? :lol:
A bug is a feature that hasn't made it to the manual (yet)

User avatar
John connor
Registered User
Posts: 1579
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Tue Feb 20, 2018 11:35 pm

warmweer wrote:
Tue Feb 20, 2018 9:54 am
John connor wrote:
Tue Feb 20, 2018 9:49 am
If team members run Win 10, therein lies the problem. LOL
...
Are you implying I should go back to Vista? :lol:

HAHA No... Use what ever floats your boat. I'm using 7, and will continue to do so for a long as I have my new computer build. I figure by the time I build a new computer some 7-10 years from now and I do go with 10, I install a hardware-based firewall and block all of M$'s ASNs. I don't use updates right now as it is. No, I don't have malware and all that crap. You can update till your little hearts content and that still won't prevent you from having malware. Especially polymorphic malware. I feel like this so-called threat of not updating means you'll get hacked and get malware is a fallacy. I run a pretty tight ship. Part of that involves sandboxie for my applications and Shade Sandbox. I haven't used updates since I ran Win 98se in 20004.


The only reason why I mention 10 as being a problem is that it has a built-in keylogger among other dumb crap. But I digress. I wonder if a team member had malware or you have someone that went rouge.

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 1625
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by kinerity » Wed Feb 21, 2018 12:53 am

Everyone, please keep the discussion to the topic at hand.
Kailey Truscott - Community Team

dingus33
Registered User
Posts: 25
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 » Wed Feb 21, 2018 9:06 pm

could someone please give some information about which file(s) in the packages were compromised?
i can't remember exactly when i downloaded it, and i no longer have the zip.
it would be nice to be able to inspect a file or two and look for the offending code just for sanity's sake.

User avatar
canonknipser
Registered User
Posts: 1515
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by canonknipser » Wed Feb 21, 2018 9:20 pm

Just download a fresh copy and compare both packages with a compare program like windiff or similar - you can compare complete folders in one run.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

dingus33
Registered User
Posts: 25
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 » Thu Feb 22, 2018 6:20 am

good suggestion, but i think potentially not as straightforward as having some small details about the payload.
at least a short string suitable for identification purposes would be nice to have. i don't see the harm in it.

consider the case of someone who is not super familiar with the workings of phpbb. what files should be present, what files might be generated by an extension, etc.
if a board is not running a vanilla phpbb (i.e. there is other junk added), it might time consuming to assess an 'extra' (not present in the legit phpbb package) file with some obfuscated/minified code.

User avatar
canonknipser
Registered User
Posts: 1515
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by canonknipser » Thu Feb 22, 2018 8:49 am

dingus33 wrote:
Thu Feb 22, 2018 6:20 am
consider the case of someone who is not super familiar with the workings of phpbb. what files should be present, what files might be generated by an extension, etc.
if a board is not running a vanilla phpbb (i.e. there is other junk added), it might time consuming to assess an 'extra' (not present in the legit phpbb package) file with some obfuscated/minified code.
So, you don't have a local copy of all those files you pushed to the server?
The files are as essential as the database, you should have backups of both of them!

A short overview about changed and extra files:
Code changes to phpbb are not recommended any longer, and if you use them, they should be well documented for your installation, so if there are any changed files, you should have a careful look.

Extension files go in the ext-folder, which only contains a phpbb/viglink/ folder on a vanilla installation. Every extension has its own sub-folder (form vendorname/extensionname).
Files generates by a extension should go regularly in a sub-folder of store

Style files go in a sub-folder of styles, with prosilver as phpBBs default

Uploaded attachments go into files-folder (unless otherwise configured in acp)

And last, but nor least the image-folder with its subfolders. It contains smilies, uploaded avatars and other images.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

dingus33
Registered User
Posts: 25
Joined: Fri Sep 29, 2017 11:11 am

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by dingus33 » Thu Feb 22, 2018 9:27 am

canonknipser wrote:
Thu Feb 22, 2018 8:49 am
dingus33 wrote:
Thu Feb 22, 2018 6:20 am
consider the case of someone...
So, you don't have a local copy of all those files you pushed to the server?
The files are as essential as the database, you should have backups of both of them!
that is just a hypothetical person, not me.
i was just explaining why i thought it could only be a good thing to share at least partial info on the payload (enough for ID purposes).

also, that is a good overview. thank you

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: oBot, Toxyy and 24 guests