Forums

Insert a topic with an ID corresponding to the ID of the missing posts and a forum ID corresponding to an existing forum.

Well, that script is vulnerable to SQL injection via a forged X_FORWARDED_FOR or CLIENT_IP header.

You can modify the PUN_ROOT defines in the admin files, so that's not a big deal.

If the compromise came from FluxBB, there must be more to the logs. The first requests the "hacker" makes according to these logs are to the index page, then to the login page, at which point they have admin access (which means they logged in to an account that has admin access).

The 200 responses make sense: a request is being made to FluxBB's viewtopic.php file with a query string, so the page returns a 200 response.

That being said, none of the logs you've posted indicate a compromise of any kind. Given the nature of the breach and your environment, is it possible that another site on your host was compromised, which gave the attacker the ability to access your files/database?

There has to be more to the log than that. Those pages all return 404 and there's nothing exploitable there.

Reines: The name should be a quoted string but it currently isn't. For non UTF-8 emails, if the name has a comma, things are going to be odd.

UPDATE topics SET forum_id=[SOME NUMBER] WHERE forum_id=0

Replace forum_id with the ID of a valid forum

Not having any notion of order is a big problem: dependencies between plugins are very important.

And I'd be interested to see benchmarks showing a significant performance difference between object oriented and procedural PHP in this specific instance.

Just use a relative URL?

You said

And I said the call to pun_mail needs to be updated.

I made the same change as jejeje on PunBB-Hosting many years ago, since I was running into issues as well.

What are the practical implications of it though? If you're using the last modified timestamps to tell you when to update a file, you're probably better off using Git and letting it take care of updates and merges for you.