The Register® — Biting the hand that feeds IT

Feeds

Open sourcey bulletin board offline after hack attack

phpBB coughs up names, addresses, passwords

By Dan Goodin, 4th February 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The website for one of the net's more popular bulletin board software packages has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base.

In a message posted Sunday, administrators of phpBB.com said the attacker gained access through an unpatched security bug in PHPlist, a third-party email application. The miscreant had access for more than two weeks before the breach was discovered, and phpBB remained down at time of writing, more than three days later. Administrators didn't respond to emails seeking comment.

A blogger who claimed to have carried out the attack said that details for more than 400,000 accounts were intercepted. The writer claims to have created a script that was able to crack more than 28,000 passwords hashed using an unsalted MD5 algorithm, before posting them to the internet. The passwords were not accessible at time of writing.

A notice posted to a temporary support forum said that the latest version of phpBB uses "a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password." An earlier version used less secure protection based on MD5. To be protected by the more robust algorithm, users had to have registered or logged into their accounts since the upgrade was made.

The number of users fretting over the breach in this phpBB discussion thread is a testament to the sad fact that many people still use the same password for numerous online accounts. Administrators at phpBB reminded users that isn't a safe practice. They also admitted to making mistakes of their own.

"We apologise for not securing our servers in time to prevent this from happening," they wrote. "This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine."

phpBB is an open-source software package webmasters use to run discussion forums on their sites. It is based on the PHP language and stands for PHP bulletin board. The breach had nothing to do with phpBB, and there are no known vulnerabilities in the most recent version of the program.

Rather, the attacker gained entry through a recently patched vulnerability in PHPlist, an open-source package for managing newsletters. On January 29, the program was updated to fix a security bug that allowed unauthorized access.

Interestingly, according to the time line provided by both the purported attacker and phpBB, the attack was carried out some two weeks before the PHPlist patch was issued, courtesy of this published exploit.

Sadly, the attack could have been prevented by adding a single line to an administrator's index file. There are some useful lessons that can come out of an autopsy of this breach, especially for fanbois who claim open-source is so much more resistnt to these SNAFUs. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (16)
Latest Comments
Stevie

Bah

Sweet Azathoth's jockstrap, you mean someone now can leave bogus bug reports on phpbb and claim to be someone else? That the actual owner of said phpbb account could be subjected to ridicule by his peers when said bug report is deemed "under-informed" by the cognoscenti?

I can feel the very foundations of civilization crubling as I type.

0
0
Jeremy

@ Ru...

It's less the fact that they basically shoehorned register globals back on (cock up #1) and more the fact that beyond that, they trusted *all* input from the $_request array as valid without verifying any of it (huge cock up #2) that bit them on the arse.

Oh, and carrying out processing on an admin page before authenticating the user too (cock up #3)...

Three proper schoolboy errors if ever I saw them.

Paris because she knows to check her input and never trust it. Maybe.

0
0
amanfromMars

How do patch a Breach/Tear/Trauma?

"The ease of use of any programming language or tool has nothing to do with the level of ease by which it can be exploited to do bad things." ... By Wortel Posted Thursday 5th February 2009 12:49 GMT

And everything to do with the level of ease by which it can XXXXPloit the Situation to do Any Thing you can Imagine is Real.

An Impregnable Tool in the Weapons Armoury/Future Strategic Logistical Stores.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15