Half-million phpBB boards hijacked

hcgtv · 2008-05-13 16:44:21

http://www.computerworld.com/action/art … c=hm_topic

Lamonte · 2008-05-13 17:02:24

Thats crazy, *goes to phpBB to see what they talking about*

elbekko · 2008-05-13 17:03:18

Only one word applies here: pwned.

Lamonte · 2008-05-13 17:09:53

LOL..no wonder they are stopping support for phpBB 2

Vovochka · 2008-05-13 17:10:50

LOL
By the way, few times I met thoughts that punbb is security unsafe, but there was no word about phpbb's defects Another people tell about legendary phpbb's bugs.
For about 3 years I'm looking at punbb & phpbb. Well, punbb rocks! For sure! And 1.3 hook system is great, but can become source for vulnerability

Meow · 2008-05-13 17:18:56

Lamonte wrote:

LOL..no wonder they are stopping support for phpBB 2

I think lots of phpBB2 forums aren't the 2.0.23 version.

hcgtv · 2008-05-13 17:19:13

Vovochka wrote:

And 1.3 hook system is great, but can become source for vulnerability

Yes it can, that's why it's a good idea for extensions to be passed through a screening process.

Lamonte · 2008-05-13 19:08:19

hcgtv wrote:

Vovochka wrote:
And 1.3 hook system is great, but can become source for vulnerability
Yes it can, that's why it's a good idea for extensions to be passed through a screening process.

Naw, I don't think so since people can't spot bugs off the bat, but "Commercial" mods on the FluxBB site should have some sort of review, but still there is no way to tell if a mod has a vuln or not, and a screening process would take ages to double check over and over and over hence big scripts take few months just to get on the mod database.

Now you might understand what I mean.

Dr.Jeckyl · 2008-05-13 20:11:35

Lamonte wrote:

hcgtv wrote:
Vovochka wrote:
And 1.3 hook system is great, but can become source for vulnerability
Yes it can, that's why it's a good idea for extensions to be passed through a screening process.
Naw, I don't think so since people can't spot bugs off the bat, but "Commercial" mods on the FluxBB site should have some sort of review, but still there is no way to tell if a mod has a vuln or not, and a screening process would take ages to double check over and over and over hence big scripts take few months just to get on the mod database.
Now you might understand what I mean.

I think the staff here could do it. They're pretty smart around here.

Connor · 2008-05-13 20:44:15

We are going to check code on extensions before hosting them here, although obviously some bugs will get through we can check for obvious security flaws.

Vovochka · 2008-05-13 21:15:52

Connor wrote:

We are going to check code on extensions before hosting them here, although obviously some bugs will get through we can check for obvious security flaws.

Idea:
Make a quarantine place for mods. These mods can only be downloaded by people with eg 50 posts. And these people (NOT ONLY fluxbb developers) can discuss and give advices to mod writer.

Connor · 2008-05-13 21:19:07

Vovochka wrote:

Connor wrote:
We are going to check code on extensions before hosting them here, although obviously some bugs will get through we can check for obvious security flaws.
Idea:
Make a quarantine place for mods. These mods can only be downloaded by people with eg 50 posts. And these people (NOT ONLY fluxbb developers) can discuss and give advices to mod writer.

We have something even better than that planned I think we'll explain our plans more soon.

Jérémie · 2008-05-14 06:42:25

hcgtv wrote:

Vovochka wrote:
And 1.3 hook system is great, but can become source for vulnerability
Yes it can, that's why it's a good idea for extensions to be passed through a screening process.

Note: this issue is starting to get to Firefox (and other Mozilla addons).

I haven't heard yet of an extenstion creating voluntarily a security flaw, but there are several extenstion that gather data and send them to the addon creator for commercial use.

Some kind of screening is definitely a good idea.

It a lot of work, but it's quite helpful for the end-user.

Gotipe · 2008-05-14 11:19:51

Spooky, these h4xx0rs makes me feel uncomfortable now. Some weeks ago, I watched Swedish television where they said some webpages had a changed code or something that made visitors automatically load down shit. Don't know details though, but sure enough was that the webpage owners did not know about it. :S One have to keep heads up.

Jérémie · 2008-05-14 11:23:40

Gotipe wrote:

One have to keep heads up.

Easy: don't use IE.

sirena · 2008-05-14 13:55:46

Jérémie wrote:

Easy: don't use IE.

Or Firefox. Or Opera either. Or Safari especially. All also have experienced a long list of vulns this year alone, especially when they are running all jazzed up to support Java, Flash, various BHO's and plug-ins, and extensions and widgets too.

I recommend sticking to Lynx

Pedro · 2008-05-14 15:26:10

wow... this discussion is one day old and nobody said yet: "don't use internet"

Seriously, punbb 1.2 has dozens of mods, i never heard about big security issued cause by them. The code was posted in the forums, discussed and eventually some would point some potential dangers. Sometimes the author or somebody else would come up with a fix, or a warn would be kept in big letters.

Also, it's recommended to the users not to blindly install dozens of extensions. A quick look at the code and other good sense principles are the best securty.
For example, installing an extension with 5000 lines of code, written by some guy that nowbody heard about and which the code has not been minimally tested... that's obviously different than installing an official extension which has been extensively tested and discussed.

Saying that the extension system is a security flaw gate doesn't really means much, it depends on the extensions, in the same way that having a fluxbb forum comes with more security issues than not having one. ( Potato logic )

As for the mais subject in this thread...
Yaix! That's brutal. I suspect phpbb became a huge messy amalgam of features funcionalities spread in the source code in a rather bizarre and obscure way. Unfortunately this news doesn't surprise me
phpbb definitely went the wrong way, version 3 didn't really measure up to all the ard time version 2 had put into their users.

Last edited by Pedro (2008-05-14 15:26:37)

Gotipe · 2008-05-14 16:35:03

No, I don't load down random things anyhow without knowing, ofc,

Jérémie wrote:

Easy: don't use IE.

Then, I am doomed,

SuperMAG · 2008-05-14 16:43:17

Pedro wrote:

wow... this discussion is one day old and nobody said yet: "don't use internet"
Seriously, punbb 1.2 has dozens of mods, i never heard about big security issued cause by them. The code was posted in the forums, discussed and eventually some would point some potential dangers. Sometimes the author or somebody else would come up with a fix, or a warn would be kept in big letters.
Also, it's recommended to the users not to blindly install dozens of extensions. A quick look at the code and other good sense principles are the best securty.
For example, installing an extension with 5000 lines of code, written by some guy that nowbody heard about and which the code has not been minimally tested... that's obviously different than installing an official extension which has been extensively tested and discussed.
Saying that the extension system is a security flaw gate doesn't really means much, it depends on the extensions, in the same way that having a fluxbb forum comes with more security issues than not having one. ( Potato logic )
As for the mais subject in this thread...
Yaix! That's brutal. I suspect phpbb became a huge messy amalgam of features funcionalities spread in the source code in a rather bizarre and obscure way. Unfortunately this news doesn't surprise me
phpbb definitely went the wrong way, version 3 didn't really measure up to all the ard time version 2 had put into their users.

thats why the devs will review and check every extension before posting it to the download section ....

foxmask · 2008-05-14 22:08:43

hcgtv wrote:

http://www.computerworld.com/action/art … c=hm_topic

phpBB could enter in the guiness book with the record )))

Felix · 2008-05-14 22:24:00

Well, always remember: the more users a software has, the more things appear.
I guess phpBB is one of the most spread board software around and got partially modded very heavily... And many mods of phpBB are crap. They had no hooks and several mods had changes so deep in the phpBB Core that the software couldn't be updated anymore... So instead of deleting the mod and starting again from the bottom, they just let the board run...
And it runs and runs and runs... That is the good side on phpBB... Until the forum is hijacked. The bad side... not directly on phpBB but on the heavily modding.

Half a million got hijacked and I wonder how many millions are still running.

eric235u · 2008-05-15 02:40:49

firefox + noscript = pretty secure surfing.

just for fun...

punbb exploits since 2005-03-29 = 5

phpbb exploits since 2005-04-02 = more than a hundred.

from http://milw0rm.com/search.php

eric235u · 2008-05-15 02:43:47

any thoughts of having a very low traffic email list for notifying users of known exploits and new version releases? it seems like a good idea.

Last edited by eric235u (2008-05-15 02:44:12)

Smartys · 2008-05-15 03:05:12

The point of the hotfix system is that everyone should automatically have the ability to roll out a fix quickly in those cases

Forums

#1 2008-05-13 16:44:21

Half-million phpBB boards hijacked

#2 2008-05-13 17:02:24

Re: Half-million phpBB boards hijacked

#3 2008-05-13 17:03:18

Re: Half-million phpBB boards hijacked

#4 2008-05-13 17:09:53

Re: Half-million phpBB boards hijacked

#5 2008-05-13 17:10:50

Re: Half-million phpBB boards hijacked

#6 2008-05-13 17:18:56

Re: Half-million phpBB boards hijacked

#7 2008-05-13 17:19:13

Re: Half-million phpBB boards hijacked

#8 2008-05-13 19:08:19

Re: Half-million phpBB boards hijacked

#9 2008-05-13 20:11:35

Re: Half-million phpBB boards hijacked

#10 2008-05-13 20:44:15

Re: Half-million phpBB boards hijacked

#11 2008-05-13 21:15:52

Re: Half-million phpBB boards hijacked

#12 2008-05-13 21:19:07

Re: Half-million phpBB boards hijacked

#13 2008-05-14 06:42:25

Re: Half-million phpBB boards hijacked

#14 2008-05-14 11:19:51

Re: Half-million phpBB boards hijacked

#15 2008-05-14 11:23:40

Re: Half-million phpBB boards hijacked

#16 2008-05-14 13:55:46

Re: Half-million phpBB boards hijacked

#17 2008-05-14 15:26:10

Re: Half-million phpBB boards hijacked

#18 2008-05-14 16:35:03

Re: Half-million phpBB boards hijacked

#19 2008-05-14 16:43:17

Re: Half-million phpBB boards hijacked

#20 2008-05-14 22:08:43

Re: Half-million phpBB boards hijacked

#21 2008-05-14 22:24:00

Re: Half-million phpBB boards hijacked

#22 2008-05-15 02:40:49

Re: Half-million phpBB boards hijacked

#23 2008-05-15 02:43:47

Re: Half-million phpBB boards hijacked

#24 2008-05-15 03:05:12

Re: Half-million phpBB boards hijacked

Board footer