Page 1 of 3

[Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 2:56 am
by Marshalrusty

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 4:11 am
by John connor
Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 4:31 am
by Marshalrusty
John connor wrote:
Sat Jan 27, 2018 4:11 am
Question: was the hash that is displayed for validation also altered? If not then people who download the packages and compare the hash would, or should I say know that the package was not legit.
The website itself wasn't affected in any way, so the hashes were not altered. Anyone who verified the hash would have known, but realistically very few people do.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 8:31 am
by John connor
Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 1:16 pm
by TJK
Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Sat Jan 27, 2018 6:29 pm
by ucv92
TJK wrote:
Sat Jan 27, 2018 1:16 pm
Why would someone want to affect a forum software package? Anyway, thanks for bringing that into our attention. Luckily I am on the safe side since I had performed an update to 3.2.2 a week ago! :)
For access to your forum + many more.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Mon Jan 29, 2018 4:59 pm
by jstMusa
John connor wrote:
Sat Jan 27, 2018 8:31 am
Yeah, I can only imagine how few people actually check hashes with downloads that offer them. I always check the hash, especially for my browser (Pale Moon) my FTP client (WinSCP) and anything else that's pretty critical, especially phpBB.
I'm sorry John, can you share/recommend some good "file verification software"?

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 7:26 pm
by ~Sentinel~
This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 7:43 pm
by </Solidjeuh>
~Sentinel~ wrote:
Tue Jan 30, 2018 7:26 pm
This may sound dumb but ... if I back up my config.php and delete all the other files and then upload new ones from a fresh download that I get today, would that take care of any potential problem and be invisible to the functioning of my board?
Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
If you believe that you have a malicious package, please email it to security@phpbb.com so that we can check it against the version we obtained. We will likewise let you know if it is affected.
If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code. https://tracker.phpbb.com/projects/INCIDENT/

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 7:57 pm
by 3Di
https://www.phpbb.com/community/viewtopic.php?f=14&t=2456896 wrote: Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.
I am sure the following question raised for a lot of us..

How did happen those links were compromised then?

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 9:38 pm
by thecoalman
It's an ongoing investigation 3Di and no details will be released until it's completed.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 10:22 pm
by ~Sentinel~
Froddelaar wrote:
Tue Jan 30, 2018 7:43 pm
Only if you downloaded phpBB on that day between those hours..
12:02 PM UTC and 15:03 PM UTC on January 26th
You also need to keep: files, ext, store and images folders
Yes but, assuming that a person did download during that time frame but has since deleted the original file so can't check the hash of the file. The reason that I ask is because this seems to me to be a rather complete way of making sure that you are OK so my first thought is that this can't be a good answer because so far nothing I see says that this is a way to make sure that you fix the problem. So is the reason that I am not seeing this being discussed as a possible solution that it is very difficult to do for some users of large boards or is it that it will not necessarily fix the problem completely? Because I have a small personal simplistic board and if this would indeed fix everything 100% guaranteed then I can do this. But if it will not fix anything then I won't waste my time.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Tue Jan 30, 2018 11:56 pm
by 3Di
thecoalman wrote:
Tue Jan 30, 2018 9:38 pm
It's an ongoing investigation 3Di and no details will be released until it's completed.
We all are aware of that, already.

The question points to
we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us.... snip .. The point of entry was a third-party site. Neither phpBB.com nor .... snip
Well, since the links are posted at .com, I do (the whole web does I guess) believe there is at least a discrepance on what has been stated.
It doesn't really matter when we all we will know about that, that's just a mistery which deserves an explaination, IMHO.

In order to modify URLs posted on here you need access, right or wrong.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Wed Jan 31, 2018 1:04 am
by kinerity
As Yuriy stated, the point of entry was a third-party site, so phpBB.com and the phpBB software itself were not exploited. As the investigation is still ongoing, more details will be provided when they become available.

Re: [Discuss] [Security] phpBB 3.2.2 Packages Compromised

Posted: Wed Jan 31, 2018 8:04 am
by AmigoJack
Marshalrusty wrote: a third-party site
kinerity wrote:
Wed Jan 31, 2018 1:04 am
a third-party site
Which one and how? Downloads are primarily from this websites, or is there a reason why SourceForge is not named?