PhpBB's site hacked | Hacker News

		PhpBB's site hacked
		27 points by geuis on Feb 2, 2009 \| hide \| past \| favorite \| 8 comments

anuraggoel on Feb 2, 2009 | [–]

Here's some more information:

http://area51.phpbb.com/phpBB/viewtopic.php?f=71&t=29973...

http://community.mybboard.net/thread-44513-page-1.html

phpBB.com website was hacked through a vulnerability in an outdated version of a third-party script called PHPList. PHPList is used to manage the Mailing list on phpBB.com (the website). The hacker got in and compromised the rest of the server through that vulnerability including the phpBB.com forums. Information about this vulnerability and the security update that patches it is here: http://www.phplist.com/?lid=274 If you or anyone you know is running PHPList, it is vital that you notify them of the security update immediately. It is important to note that the phpBB.com website was not hacked through a phpBB(3) vulnerability and there are still no known vulnerabilities within phpBB3. phpBB.com is back online which explains this in summary. (If you previously visited phpBB.com, you may need to refresh your DNS cache to see the site).

Except that it isn't back online yet.

leftnode on Feb 2, 2009 | | [–]

This sucks. I've been a fan of phpBB for a while now as a free bulletin board, and it always sucks when some asshole hacks your site and screws stuff up for a while.

I know they should've kept the installation up to date, but you could probably say that about tons of other companies.

queenzeal on Feb 3, 2009 | | [–]

The attack took place on January 14th, per the blog. The patch was released on January 29th, per this:

http://www.phplist.com/?lid=274

Based on that, they very well could have been up-to-date when they were hacked. As such, to chide them on it seems inappropriate.

tdavis on Feb 2, 2009 | | [–]

I'm pretty surprised it wasn't hacked via a vulnerable installation of phpBB.

kailashbadu on Feb 2, 2009 | | [–]

Contrarily, I would have surprised had it been hacked through a vulnerability in PHP. For two reasons.

1) as the custodian of the forum software, I wouldn’t expect them to keep a vulnerable edition of the software in the production server.

2) PHPBB3 is assumed to have come of age compared to the notoriety that PHPBB2 was.

queenzeal on Feb 2, 2009 | | | [–]

what does that say about your assumptions about phpBB?

bbuffone on Feb 2, 2009 | [–]

I ended up shutting down my phpBB forum because it took too much time to weed out all the porn and spam. Forum is now a yahoo group and have had no problems.

Jem on Feb 2, 2009 | [–]

phpbb2 and phpbb3 are worlds apart.

A forum I 'run' for a client used to get up to 200 spam users a DAY with phpbb2, but since upgrading to phpbb3, it's not had a single one.