phpBB forum package - critical security upgrade
Just a note to anybody out there hosting a forum using phpBB: a few days ago a serious security hole came to light. It allows attackers to do some very nasty things to your server. You should upgrade to the newest version or at the very least follow these quick 'n dirty instructions.
There are many reports of this exploit being used 'in the wild', and there are records of attacks against my boards in my server logs. So upgrade post-haste.
If you want to check your own logs for badness search it for the string 'highlight=%25'
I'm really fed up with this sort of thing happening over and over and over again after we've had Java for nearly 10 years now.
I'd very much like to move towards Java-based forums but the only one I've found so far isn't nearly complete enough yet. Bah.
Cas
Thanks for the heads up, will get upgrading asap
Wooah hold on there. Installation of the new PHPBB completely fails, using the latest Apache HTTPD and PHP5. The "Start Installation" button simply does nothing except clear all your fields out and return you to the same damned page :/
<edit>The latest PHPBB does not work with PHP5. You must use PHP4.
Cas
Last edited by princec; 11-23-2004 at 07:18 AM.
Thanks a lot!
What a pain, like we don't have enough attacks already
pat.
Thanks! Made the fix.
GRRR.
Rampant Games: Games With Personality!
Tales of the Rampant Coyote: Adventures In Indie Gaming
Frayed Knights - a 3D RPG that refuses to take itself seriously.
Thank you for the alert... changed! I would've never known until I was hacked or decided to look for an update to phpbb a year or two down the road.
Does make it a bit of a pain to upgrade ours because 90% of our site runs through its database (me being lazy and not wanting to do a pretty web based text editor), oh well, will have to wait until after the weekend now
I just did the simple fix he linked to - check it out, it's just a one-line change.
Yeah, for sure you have to make the change. The quick instructions is very easy.
You should also take this as an opportunity to change your passwords. This exploit is very nasty. Here's the Anatomy of a hack that should scare you.
Ah its done now, didn't realise it was a simple fix, guess I should have clicked the link instead of just assuming it would be 1/2 hours work
As Dustin mentioned: it's worth searching your server access logs back to November 14th (When the attacks started) for 'highlight=%25'
We found quite a lot of attempts to use the exploit and in some cases they managed to do things like get the kernel id of the server - so they could potentially have done much worse.
I'm just mentioning this because it's easy for us all to think that our relatively small sites are less likely of attack due to relative anonymity on the net. In actual fact, there are large groups of people actively searching for sites running any kind of software with a security bug, and board software is usually easy to find using Google, since forums usually contain a 'power by XXX' footer.
Posting Permissions
Reply With Quote
Mike Hommel