[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty »

🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marshalrusty »

John connor wrote: Sat Jan 27, 2018 4:11 am Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.
The website itself wasn't affected in any way, so the hashes were not altered. Anyone who verified the hash would have known, but realistically very few people do.
🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 2600 »

Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
TJK
Registered User
Posts: 136
Joined: Sat Dec 26, 2015 9:10 pm
Name: Tolaso J Kos
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by TJK »

Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)
Hire me for your update/upgrade forum inquiries or your forum tasks (installation , set up , etc)
Have I been of any help today? Buy me a beer.
ucv92
Registered User
Posts: 21
Joined: Fri Jan 12, 2018 3:39 pm
Location: CHINA
Name: Andrei
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ucv92 »

TJK wrote: Sat Jan 27, 2018 1:16 pm Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)
For access to your forum + many more.
Free Ads (Forums, Sites, Shooters Servers, MMORPG Online) - www.reclamagratis.eu
RGOblog - www.reclamagratis.eu/blog
MxHost (Web Hosting) - Mxhost.ro
jstMusa
Registered User
Posts: 40
Joined: Tue Feb 25, 2014 1:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by jstMusa »

John connor wrote: Sat Jan 27, 2018 8:31 am Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
I'm sorry John, can you share/recommend some good "file verification software"?
~Sentinel~
Registered User
Posts: 268
Joined: Tue Jun 03, 2003 3:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ~Sentinel~ »

This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?
User avatar
</Solidjeuh>
Registered User
Posts: 1788
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by </Solidjeuh> »

~Sentinel~ wrote: Tue Jan 30, 2018 7:26 pm This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?
Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
If you believe that you have a malicious package, please email it to [email protected] so that we can check it against the version we obtained. We will likewise let you know if it is affected.
If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code. https://tracker.phpbb.com/projects/INCIDENT/
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 3Di »

https://www.phpbb.com/community/viewtopic.php?f=14&t=2456896 wrote: Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
I am sure the following question raised for a lot of us..

How did happen those links were compromised then?
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5876
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by thecoalman »

It's an ongoing investigation 3Di and no details will be released until it's completed.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
~Sentinel~
Registered User
Posts: 268
Joined: Tue Jun 03, 2003 3:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by ~Sentinel~ »

Froddelaar wrote: Tue Jan 30, 2018 7:43 pm Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
Yes but, assuming that a person did download during that time frame but has since deleted the original file so can't check the hash of the file. The reason that I ask is because this seems to me to be a rather complete way of making sure that you are OK so my first thought is that this can't be a good answer because so far nothing I see says that this is a way to make sure that you fix the problem. So is the reason that I am not seeing this being discussed as a possible solution that it is very difficult to do for some users of large boards or is it that it will not necessarily fix the problem completely? Because I have a small personal simplistic board and if this would indeed fix everything 100% guaranteed then I can do this. But if it will not fix anything then I won't waste my time.
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by 3Di »

thecoalman wrote: Tue Jan 30, 2018 9:38 pm It's an ongoing investigation 3Di and no details will be released until it's completed.
We all are aware of that, already.

The question points to
we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us.... snip .. The point of entry was a third-party site. Neither phpBB.com nor .... snip
Well, since the links are posted at .com, I do (the whole web does I guess) believe there is at least a discrepance on what has been stated.
It doesn't really matter when we all we will know about that, that's just a mistery which deserves an explaination, IMHO.

In order to modify URLs posted on here you need access, right or wrong.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
User avatar
Kailey
Community Team Leader
Community Team Leader
Posts: 3735
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Snay
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Kailey »

As Yuriy stated, the point of entry was a third-party site, so phpBB.com and the phpBB software itself were not exploited. As the investigation is still ongoing, more details will be provided when they become available.
Kailey Snay - Community Team Leader
Knowledge Base | Documentation | Community rules

If you have any questions about the rules/customs of this website, feel free to send me a PM.
User avatar
AmigoJack
Registered User
Posts: 6109
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by AmigoJack »

Marshalrusty wrote: a third-party site
kinerity wrote: Wed Jan 31, 2018 1:04 ama third-party site
Which one and how? Downloads are primarily from this websites, or is there a reason why SourceForge is not named?
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
Post Reply

Return to “phpBB Discussion”