[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5340
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc » Wed Jan 31, 2018 10:50 am

We will post an update with more details once the third-party site has finished its investigation.
Please refrain from trying to guess any involved parties or trying to draw conclusions.
Our detailed investigation has confirmed what has been stated in the announcement.

User avatar
Boardtalk.net
Registered User
Posts: 1185
Joined: Fri Jun 05, 2009 8:12 pm
Location: Ireland
Name: Colette
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Boardtalk.net » Fri Feb 02, 2018 12:01 am

That's a little unnerving to say the least.

User avatar
John connor
Registered User
Posts: 1825
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Tue Feb 06, 2018 1:32 pm

jstMusa wrote:
Mon Jan 29, 2018 4:59 pm
John connor wrote:
Sat Jan 27, 2018 8:31 am
Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
I'm sorry John, can you share/recommend some good "file verification software"?
Use HashCalc. http://www.slavasoft.com/hashcalc/

All you do is point HashCalc to the download and it will give you the hashes. I just look at the first four characters and last four characters for verification.

jstMusa
Registered User
Posts: 40
Joined: Tue Feb 25, 2014 1:19 pm

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by jstMusa » Thu Feb 08, 2018 1:38 pm

John connor wrote:
Tue Feb 06, 2018 1:32 pm
jstMusa wrote:
Mon Jan 29, 2018 4:59 pm


I'm sorry John, can you share/recommend some good "file verification software"?
Use HashCalc. http://www.slavasoft.com/hashcalc/

All you do is point HashCalc to the download and it will give you the hashes. I just look at the first four characters and last four characters for verification.
Thanks man. I will try it.

User avatar
Sajaki
Registered User
Posts: 1350
Joined: Mon Mar 02, 2009 1:41 pm
Name: Andreas
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Sajaki » Thu Feb 08, 2018 2:05 pm

try openssl sha -sha256 <file>

User avatar
John connor
Registered User
Posts: 1825
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Thu Feb 08, 2018 3:33 pm

Sajaki wrote:
Thu Feb 08, 2018 2:05 pm
try openssl sha -sha256 <file>
That's just all dorkafied when you can just run a simple small program.

User avatar
david63
Jr. Extension Validator
Posts: 15046
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by david63 » Fri Feb 16, 2018 7:02 pm

In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 20987
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by RMcGirr83 » Fri Feb 16, 2018 7:56 pm

david63 wrote:
Fri Feb 16, 2018 7:02 pm
In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
:+1:
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
John connor
Registered User
Posts: 1825
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Sat Feb 17, 2018 2:03 am

david63 wrote:
Fri Feb 16, 2018 7:02 pm
In view of the latest announcement of the cause of the problem it strikes as yet another reason to avoid Cloudflare at all costs - what other issues have there been that users may not have been aware of? What other problems may there be waiting to happen?
What does CloudFlare have anything to do with this? I have been running CloudFlare from the first time I installed phpBB and have had no issues once so ever. You just have to know how to use it. If you don't you will have a bad experience. Plus, you always have to remember there are two caches instead of one.

User avatar
david63
Jr. Extension Validator
Posts: 15046
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by david63 » Sat Feb 17, 2018 2:06 am

John connor wrote:
Sat Feb 17, 2018 2:03 am
What does CloudFlare have anything to do with this?
Everything. Have you read the latest update? - if not I suggest you do and then maybe you will reassess the use of Cloudflare
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
John connor
Registered User
Posts: 1825
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Sat Feb 17, 2018 2:10 am

Okay, I see it here: viewtopic.php?f=14&t=2456896

It sounds like the account was hacked as no one should be able to get into your account without the password. I for one have 2FA on CloudFlare and my DNS provider. I also use DNSSEC.

CloudFlare can help mitigate many attacks. Especially if your origin server IP is never known and all IPs are blocked except CloudFlare's. This forces a so-called hacker to jump through a CloudFlare IP.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5340
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Marc » Sun Feb 18, 2018 6:35 pm

API access with an API key does not require a login to the Cloudflare account, 2FA has no effect on that either. There was no login to our account.
DNSSEC wouldn't have changed anything as the DNS info was not forged or manipulated but rather just modified.

User avatar
John connor
Registered User
Posts: 1825
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by John connor » Mon Feb 19, 2018 2:19 am

How in the world did he get the API key?

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20332
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Post by Mick » Mon Feb 19, 2018 9:45 am

Has anyone (non-team) spoken to Cloudflare about this?
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.


Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: AmigoJack and 32 guests