Izskatās, ka phpBB mājaslapa
Paziņojums vēsta…
We are sorry to report that we have been attacked through a 0-day-exploit in our PHPList installation (responsible for the mailing list about new releases). phpBB.com will remain unavailable while we work to recover. No vulnerabilities have been found in the phpBB software itself.
You can download phpBB here:
You can get support at the temporary support forums or on IRC:
chat.freenode.net #phpbb
A more detailed explanation about the incident.
– the phpBB team
As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. The initial attack was performed well before a new version of the software was released or a patch provided. It is important to stress that no vulnerabilities have been found in the phpBB software itself.
We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.
The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.
phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.
If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.
We apologise for not securing our servers in time to prevent this from happening. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. Intrusion is possible even before a patch is provided to fix a vulnerability. At this time, the team is working around the clock to restore phpBB.com and other resources.
Press Contact: If you need to get in contact with the management, please email phpbb_press (at) marshalrusty (dot) com.
Thank you,
– The phpBB Teams
Kā saprotu, pats phpBB meistardarbs, phpBB3 nav uzlausts, bet gan tā modificējums uz kura stāvēja officiālā phpBB mājaslapa…
Jūsu viedoklis?
Personīgi es iekš paša phpbb3 nesaskatu neko īpaši vitāli krutu, ko nevarētu dabot uz phpbb 2 versijas. Tiem kam patīk extra, mega kruts admin panelis, bezjedzīgas fīčas, tad phpbb 3 ir pašā laikā, bet cilvēkiem, kuriem vajag forumu, kādu portālu, kur komunicēties tautai, iesaku labāk lietot phpbb 2. Kā nekā šeit arī ir phpbb supports pieejams, portams, pats palīdzu tikai uz phpbb 2 versiju, jo phpbb 3 nav ne sīkāk pētīts, nav modificēts, lai veiktu phpbb 3 supportu.
Phpbb 3 skinu ziņā arī ir diezgan niecīgi, jo vēl tas nav attīstījies kā nākas. Redzēs jāgaida jaunas relīzes, varbūt būs lietojams.
PAr droshiibu jaajautaa TEST^ ,
Lai nu kaa, 100% drosh nav nekas. Ja kaads ljoti veeleesies, taapat uzlauziis.
Domāju, ka nav jēgas celt augšā veco strīdu – kas labāks, phpBB2 vai phpBB3… 😀
Protams, phpBB3 vēl nav pilnīgi “noslīpēts” un “apbērts” ar neskaitāmiem MODiem un stiliem, bet pilnīgs mēsls tas gan nav un es, personīgi, redzu nākotni tam… 🙂
Fox: Njā, tas gan kauns, bilžu uploadam pārbaudīt file extension nevis mime type.
Un ne pirmo reizi dzirdu ka webs tiek uzlauzts ar image uploadi ,laikam nemācās neviens uz citu kļūdām 🙁
Par gaumi nestrīdās. Man personīgi apmierina phpbb2 engine, visu ko vajag var pats izveidot, nevajag man tur supportu no phpbb, jo reāli šis phpbb no standarta versijas jau savu laik ir apaudzēts gan ar manām modifikācijām, gan citu rakstītiem modiem un viss griežas teicami, protams ir pāris bugi, kurus vēl neesmu izlabojis, bet vienozīmīgi, kādu laiku vēl lietošu 2 versiju. Vienmēr jau pastāv iespēja pāriet uz jaunāku versiju. Kad būs noslīpēts, pielāgots un teicami uzlabots, tad šaubu nebūs un būs jāskatās tālāk.
phpBB.com atkal ir uz savām kājam… 😉
Welcome back, ladies and gentlemen
As you probably know, we were attacked for unknown reasons by an individual using an exploit against our PHPList installation within hours of the exploit being publicly posted on a well-known exploit site. Facilitated by mistakes and – in retrospect mistaken – performance considerations in our server setup, the attacker was able to steal all email addresses from our mailing list, as well as the password hashes from this board’s database. In a reckless act of showmanship, he later posted all this information on a blog.
We urge all our community members to change their passwords as soon as possible. If you have used the same password on any other site, then we strongly recommend changing it there as well.
The public disclosure of private data is an unspeakable attack against all of our users. We cannot comprehend the attacker’s motives. The phpBB teams are entirely composed of volunteers working on an honour basis to provide the web with a scalable, secure and user-friendly free forum software. We are not, however, so easily cowed. More so than ever, we are here to create communities with and for our users.
We are greatly pleased to once more provide support in the environment we all love so much. In the past ten days, countless hours have been spent by team members and helpers to restore and sanitise the website and the database. We especially want to thank OSUOSL for providing us with a temporary server for the remainder of the investigation. We welcome everyone to show our community’s appreciation by sending them a donation.
We are deeply sorry about the unavailability of the collected resources of phpbb.com and the damage caused. We hope that the improvised support on area51 was enough to keep you all afloat. Let’s, once more, make this community the lively place of support, development and discussion it has been for so many years.
Please note that the search is currently unavailable. It will be enabled in the following days.
The phpBB Teams
P.S. Man arī prieks…