Hacker attacked on phpBB project website

The one of the most popular open source bulletin board, phpBB, has suffered a major security breach that has resulted in the exposure of more than 4 lac e-mail addresses. A hacker has obtained access to both the forum and mailing list databases by exploiting an unpatched vulnerability in the PHPlist newsletter software.

This phpBB is open source software and widely used all over the world is released under the GNU General Public License. At this moment, phpBB.com website is still offline and an announcement on its main page informs users that "We are sorry to report that we have been attacked through a 0-day-exploit in our PHPList installation (responsible for the mailing list about new releases). phpBB.com will remain unavailable while we work to recover. No vulnerabilities have been found in the phpBB software itself."

In temporary support forum from phpBB, more detail has been posted that "The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly," Marshalrusty, the phpBB Support Team leader, writes. "It is important to stress that no vulnerabilities have been found in the phpBB software itself," he adds.

PHPlist is a separate application and open source project, and is not affiliated with phpBB. The software can be used to create and administer mailing lists. The administrators of the phpBB.com website have been using it to maintain a newsletter system that has been allowing them to announce updates. A serious vulnerability has been discovered and patched in the PHPlist software, however the phpBB staff have been late in deploying the update. "We were only 3 days late, and were compromised as a result of it," a Support Team member, going by the handle "iWisdom," notes.

In meanwhile, an unknown self-declared hacker has set up a blog and taken credit for the security breach. Giving his detailed explanation and proof consisting of SQL dumps of database tables, as well as snips of the configuration files for both the PHPlist installation and phpBB official forums, it is very likely that his claim is accurate.

In the single post on the newly created blog, entitled "Hacked PHPBB(dot)COM," the hacker points out that he has used a PoC (proof of concept) exploit for the PHPlist vulnerability, which was published on the Milw0rm exploit tracker, and then has employed the newly gained server access to hack into the phpBB forum database too. "So I login and see what I can come across, wow 4 lac registered emails, I am sure that will go quick on the black market, sorry people but expect a lot of spam," he adds.

"And now it comes to an end, you may ask why did I do this? For fun mainly, but what I would like to suggest to the team at phpbb is this. If you are going to run third party scripts, either integrate them or keep up to date on their patches," the attacker explains. "phpbb, i did not alter any files on your server, everything i gained access to has been listed in this blog," he maintains.

This incident could have been easily avoidable even without upgrading to the new PHPlist version. As explained in an advisory published on the PHPlist website, mitigation can also be achieved by adding a single line to the index.php file of the application. "We apologise for not securing our servers in time to prevent this from happening. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine," the phpBB staff note in their communique.