A few days ago phpbb.com was hacked through a super-globals-overwrite vulnerability in PHPList that was used by an attacker for a local file inclusion exploit. [--cut] From the explanation it seems that the PHP installation on phpbb.com was more or less a default one that was not hardened against attacks at all, but I will get into this later.
First I want to shed some light on the super-globals-overwrite vulnerability in PHPList that was wrongly attributed a local file inclusion vulnerability in so many places (including the PHPList announcement). [...]
------------------------------------
phpBB coughs up names, addresses, passwords
The website for one of the net's more popular bulletin board software packages has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. [...]
------------------------------------
Last phpBB.com temp homepage
Maintenance
We are sorry to report that we have been attacked through a 0-day-exploit in our PHPList installation (responsible for the mailing list about new releases). phpBB.com will remain unavailable while we work to recover. No vulnerabilities have been found in the phpBB software itself.
You can download phpBB here: http://www.ohloh.net/p/phpbb
You can get support at the temporary support forums or on IRC:
chat.freenode.net #phpbb
A more detailed explanation about the incident.
Press Contact: If you need to get in contact with the management, please email phpbb_press (at) marshalrusty (dot) com.
– the phpBB team
------------------------------------
From a topic:
Acyd Burn on Feb 08th, 2009 22:42:31 (UTC+1) wrote:At the moment everything is going quite smooth. Depending on the time we are able to work on it (we all have day jobs too) i predict(!) 1-3 days. It will definitely not be an additional week.
As you can see, the prediction was right
(Note: all linkages to other site have been r3moved)
