Kas notiek ar phpBB mājaslapu? Uzlauza?

Moderatori: janis.wd, Vecākie lietotāji

User avatar
daGrevis
Vecākais lietotājs
Atbildes: 2343
Pievienojies: 06 Feb 2009, 19:00
Reputācija: 0
Atrodas: Rīga, Latvija

Kas notiek ar phpBB mājaslapu? Uzlauza?

Post no daGrevis » 06 Feb 2009, 19:05

Izskatās, ka phpBB mājaslapa ir uzlauzta!
Paziņojums vēsta...
Maintenance

We are sorry to report that we have been attacked through a 0-day-exploit in our PHPList installation (responsible for the mailing list about new releases). phpBB.com will remain unavailable while we work to recover. No vulnerabilities have been found in the phpBB software itself.

You can download phpBB here: http://www.ohloh.net/p/phpbb

You can get support at the temporary support forums or on IRC:
chat.freenode.net #phpbb

A more detailed explanation about the incident.

Press Contact: If you need to get in contact with the management, please email phpbb_press (at) marshalrusty (dot) com.

– the phpBB team
As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. The initial attack was performed well before a new version of the software was released or a patch provided. It is important to stress that no vulnerabilities have been found in the phpBB software itself.

We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.

If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.

We apologise for not securing our servers in time to prevent this from happening. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. Intrusion is possible even before a patch is provided to fix a vulnerability. At this time, the team is working around the clock to restore phpBB.com and other resources.

Press Contact: If you need to get in contact with the management, please email phpbb_press (at) marshalrusty (dot) com.

Thank you,

- The phpBB Teams
+ Š eit...

Kā saprotu, pats phpBB meistardarbs, phpBB3 nav uzlausts, bet gan tā modificējums uz kura stāvēja officiālā phpBB mājaslapa...

Jūsu viedoklis?
Think of how stupid the average person is, and realize half of them are stupider than that. /George Carlin/

http://twitter.com/#!/daGrevis
http://last.fm/user/daGrevis
http://ask.fm/daGrevis

http://dagrevis.lv/

User avatar
foxsk8
Moderators
Atbildes: 5078
Pievienojies: 22 Feb 2007, 12:33
Reputācija: 0
Atrodas: Liepāja, www.notepad.lv

Post no foxsk8 » 06 Feb 2009, 19:11

Ehh. kā jau es te esmu minējis, ka phpbb3 versija nav izstrādāta līdz galam, ne modi, ne pats engine, labāk lietot phpbb 2.2.23 versiju, kuru pats var viegli un ērti modificēt. Kā piemēru varu minēt mūsu paša portālu, kas stāv uz phpbb 2.2.22, vienu reizi tikai pašā sākumā bija uzlauzsts, kad vēl bija best.oo.lv laiki, nebija aizsardzības uz bilžu upload un viss tika injecēts ar bildes php šellu.

Personīgi es iekš paša phpbb3 nesaskatu neko īpaši vitāli krutu, ko nevarētu dabot uz phpbb 2 versijas. Tiem kam patīk extra, mega kruts admin panelis, bezjedzīgas fīčas, tad phpbb 3 ir pašā laikā, bet cilvēkiem, kuriem vajag forumu, kādu portālu, kur komunicēties tautai, iesaku labāk lietot phpbb 2. Kā nekā šeit arī ir phpbb supports pieejams, portams, pats palīdzu tikai uz phpbb 2 versiju, jo phpbb 3 nav ne sīkāk pētīts, nav modificēts, lai veiktu phpbb 3 supportu.

Phpbb 3 skinu ziņā arī ir diezgan niecīgi, jo vēl tas nav attīstījies kā nākas. Redzēs jāgaida jaunas relīzes, varbūt būs lietojams.
WPX.lV - E-komercijas risinājumi

User avatar
grisha
E-žurnālists
Atbildes: 1130
Pievienojies: 25 Jūn 2007, 18:43
Reputācija: 0

Post no grisha » 06 Feb 2009, 19:12

CIk zinaams, nav pirmaa reize... .

PAr droshiibu jaajautaa TEST^ ,

Lai nu kaa, 100% drosh nav nekas. Ja kaads ljoti veeleesies, taapat uzlauziis.

User avatar
foxsk8
Moderators
Atbildes: 5078
Pievienojies: 22 Feb 2007, 12:33
Reputācija: 0
Atrodas: Liepāja, www.notepad.lv

Post no foxsk8 » 06 Feb 2009, 19:12

+1
WPX.lV - E-komercijas risinājumi

User avatar
M
Reģistrēts lietotājs
Atbildes: 130
Pievienojies: 15 Sep 2008, 13:08
Reputācija: 0

Post no M » 06 Feb 2009, 19:35

A ko jūs to phpbb3 te apceļat? Tak rakstīts, ka nav izmantota phpbb ievainojamība. Ir muļķīgi celt saulē softu kuram beidzās/drīz beigsies supports un kurš netiek vairs izstrādāts. Nu nav nekā labāka iekš phpbb otrās versijas.

User avatar
daGrevis
Vecākais lietotājs
Atbildes: 2343
Pievienojies: 06 Feb 2009, 19:00
Reputācija: 0
Atrodas: Rīga, Latvija

Post no daGrevis » 06 Feb 2009, 22:09

Hmm... PhpBB2 officilais "support's" beidzs jau pirms kāda laika... :)

Domāju, ka nav jēgas celt augšā veco strīdu - kas labāks, phpBB2 vai phpBB3... :D

Protams, phpBB3 vēl nav pilnīgi "noslīpēts" un "apbērts" ar neskaitāmiem MODiem un stiliem, bet pilnīgs mēsls tas gan nav un es, personīgi, redzu nākotni tam... :)
Think of how stupid the average person is, and realize half of them are stupider than that. /George Carlin/

http://twitter.com/#!/daGrevis
http://last.fm/user/daGrevis
http://ask.fm/daGrevis

http://dagrevis.lv/

Creep
Reģistrēts lietotājs
Atbildes: 1138
Pievienojies: 09 Feb 2008, 20:06
Reputācija: 0

Post no Creep » 06 Feb 2009, 22:13

Mad; vieglāk modificējams
Fox: Njā, tas gan kauns, bilžu uploadam pārbaudīt file extension nevis mime type.

Loading
E-žurnālists
Atbildes: 1632
Pievienojies: 25 Feb 2007, 18:08
Reputācija: 1
Atrodas: Liepāja

Post no Loading » 07 Feb 2009, 00:38

daGrevis wrote:Domāju, ka nav jēgas celt augšā veco strīdu - kas labāks, phpBB2 vai phpBB3... :D

User avatar
Wuu
E-žurnālists
Atbildes: 2918
Pievienojies: 23 Aug 2008, 10:32
Reputācija: 0

Post no Wuu » 07 Feb 2009, 02:34

Es sāku vairāk mest aci uz punBB ,viņā vispār neka lieka iekšā nav ,un ļoti ērti modificēt bez jebkādām īpašām zināšanām par viņu :)
Un ne pirmo reizi dzirdu ka webs tiek uzlauzts ar image uploadi ,laikam nemācās neviens uz citu kļūdām :(
Image

User avatar
foxsk8
Moderators
Atbildes: 5078
Pievienojies: 22 Feb 2007, 12:33
Reputācija: 0
Atrodas: Liepāja, www.notepad.lv

Post no foxsk8 » 07 Feb 2009, 11:04

Katra brīva izvēlne, ko viņš vēlas lietot, vai tas būs phpbb, vai Jommla, vai IPB, utt...

Par gaumi nestrīdās. Man personīgi apmierina phpbb2 engine, visu ko vajag var pats izveidot, nevajag man tur supportu no phpbb, jo reāli šis phpbb no standarta versijas jau savu laik ir apaudzēts gan ar manām modifikācijām, gan citu rakstītiem modiem un viss griežas teicami, protams ir pāris bugi, kurus vēl neesmu izlabojis, bet vienozīmīgi, kādu laiku vēl lietošu 2 versiju. Vienmēr jau pastāv iespēja pāriet uz jaunāku versiju. Kad būs noslīpēts, pielāgots un teicami uzlabots, tad šaubu nebūs un būs jāskatās tālāk.
WPX.lV - E-komercijas risinājumi

User avatar
daGrevis
Vecākais lietotājs
Atbildes: 2343
Pievienojies: 06 Feb 2009, 19:00
Reputācija: 0
Atrodas: Rīga, Latvija

Post no daGrevis » 11 Feb 2009, 11:13

Jaunākās ziņas... :)

phpBB.com atkal ir uz savām kājam... ;)
Welcome back, ladies and gentlemen
Welcome back, ladies and gentlemen :D

As you probably know, we were attacked for unknown reasons by an individual using an exploit against our PHPList installation within hours of the exploit being publicly posted on a well-known exploit site. Facilitated by mistakes and - in retrospect mistaken - performance considerations in our server setup, the attacker was able to steal all email addresses from our mailing list, as well as the password hashes from this board's database. In a reckless act of showmanship, he later posted all this information on a blog.

We urge all our community members to change their passwords as soon as possible. If you have used the same password on any other site, then we strongly recommend changing it there as well.

The public disclosure of private data is an unspeakable attack against all of our users. We cannot comprehend the attacker's motives. The phpBB teams are entirely composed of volunteers working on an honour basis to provide the web with a scalable, secure and user-friendly free forum software. We are not, however, so easily cowed. More so than ever, we are here to create communities with and for our users.

We are greatly pleased to once more provide support in the environment we all love so much. In the past ten days, countless hours have been spent by team members and helpers to restore and sanitise the website and the database. We especially want to thank OSUOSL for providing us with a temporary server for the remainder of the investigation. We welcome everyone to show our community's appreciation by sending them a donation.

Image

We are deeply sorry about the unavailability of the collected resources of phpbb.com and the damage caused. We hope that the improvised support on area51 was enough to keep you all afloat. Let's, once more, make this community the lively place of support, development and discussion it has been for so many years.

Please note that the search is currently unavailable. It will be enabled in the following days.

The phpBB Teams
+ http://www.phpbb.com/community/viewtopi ... &t=1436625
Think of how stupid the average person is, and realize half of them are stupider than that. /George Carlin/

http://twitter.com/#!/daGrevis
http://last.fm/user/daGrevis
http://ask.fm/daGrevis

http://dagrevis.lv/

User avatar
QueenZ
E-žurnālists
Atbildes: 744
Pievienojies: 10 Sep 2007, 19:47
Reputācija: 0
Atrodas: Rīga/Penkule

Post no QueenZ » 11 Feb 2009, 15:44

Tad jau diezgan ilgi nav bijis.. prieks par atgrieshanos :)
[imgl]http://www.max-tv.be/img/logo/977.jpg[/imgl]

http://www.977music.com/

User avatar
daGrevis
Vecākais lietotājs
Atbildes: 2343
Pievienojies: 06 Feb 2009, 19:00
Reputācija: 0
Atrodas: Rīga, Latvija

Post no daGrevis » 11 Feb 2009, 16:48

Jā, pirms šī topika jau nebija kādu nedēļu... ;)
P.S. Man arī prieks...
Think of how stupid the average person is, and realize half of them are stupider than that. /George Carlin/

http://twitter.com/#!/daGrevis
http://last.fm/user/daGrevis
http://ask.fm/daGrevis

http://dagrevis.lv/

Pievienot atbildi

Return to “PHPBB”