phpBB Hacked
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
phpBB Hacked
Hello,
http://www.phpbb.com
Was hacked lately. I have a very good clue about who this is, so should I turn him in?
http://hackedphpbb.blogspot.com/2009/01 ... older.html
The name place-holder was even took from my upcoming book -.-
http://www.phpbb.com
Was hacked lately. I have a very good clue about who this is, so should I turn him in?
http://hackedphpbb.blogspot.com/2009/01 ... older.html
The name place-holder was even took from my upcoming book -.-
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: phpBB Hacked
I applaud his efforts for exposing a vulnerability. I condem him for sharing the personal information of users on the internet.
I hope he goes to jail.
I hope he goes to jail.
Re: phpBB Hacked
Yeah, I think it's neat how he was able to get root, but posting the database online was just plain ignorant. If he was really good, no one would have ever known he was in there.
Re: phpBB Hacked
Did he get root? I don't think so.astions wrote:Yeah, I think it's neat how he was able to get root, but posting the database online was just plain ignorant. If he was really good, no one would have ever known he was in there.
There are 10 types of people in this world, those who understand binary and those who don't
Re: phpBB Hacked
He had the /etc/passwd file, close enough if he didn't. Also had numerous other system passwords.
Re: phpBB Hacked
/etc/passwd is world readable - it's not interesting, while /etc/shadow is more interesting, but it's root only readable.
I think all of the passwords mentioned there are just PHPBB* user passwords, not system ones (except for some DB passwords).
I think all of the passwords mentioned there are just PHPBB* user passwords, not system ones (except for some DB passwords).
There are 10 types of people in this world, those who understand binary and those who don't
Re: phpBB Hacked
I see your point, I think the point to consider is that he was able to access the database which allowed him to peruse user data.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: phpBB Hacked
phpList...I have looked at/attempted to modify that codebase so many times in the past only to bang my head against a hard desk...LOL...I'm amazed anyone other than the original developer could find security holes. At the same time, I'm not even slightly surprised it's full of exploits.
Posting user details on the Internet was just ghey...it would have been respectable to inform the devs (phpList and phpBB) and ask for some kind of recognition that he could use on a resume or something.
Posting user details on the Internet was just ghey...it would have been respectable to inform the devs (phpList and phpBB) and ask for some kind of recognition that he could use on a resume or something.
Re: phpBB Hacked
Might as well just turn him in for being a moron and posting user details. It would be different if it was a video game, source code or something.kaisellgren wrote:so should I turn him in?
Re: phpBB Hacked
This clearly violates responsible vulnerability disclosure. I only skimmed over the post, but I didn't see anything about him trying notify the software vendors of the exploit before he told the world about it.
Re: phpBB Hacked
I'm no lawyer but posting thousands of people's personal data (emails, usernames etc) online is certainly illigal in most countries.
Re: phpBB Hacked
While the guy did a stupid thing with those passwords, the phpBB guys did an even stupider thing with not following phpList news. It's a bad thing to have an unpatched 0day for two weeks (WTF by the way - two weeks to patch a RFI?), but well, noone can be (well) protected against 0days. To leave a known vulnerability for two days on a high-profile site is just plain stupid.
Also, while I don't condone the actions of this guy, these password will come handy to my research.
Kai, I didn't understand: what hints did you get at who this guy is?
Also, while I don't condone the actions of this guy, these password will come handy to my research.
Kai, I didn't understand: what hints did you get at who this guy is?
Re: phpBB Hacked
Did he actually interupt anyone's life? Does't sound like it. I think he should have to pay up for the costs of any monetary damage he did