phpBB Hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

phpBB Hacked

Post by kaisellgren »

Hello,

http://www.phpbb.com

Was hacked lately. I have a very good clue about who this is, so should I turn him in?

http://hackedphpbb.blogspot.com/2009/01 ... older.html

The name place-holder was even took from my upcoming book -.-
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: phpBB Hacked

Post by John Cartwright »

I applaud his efforts for exposing a vulnerability. I condem him for sharing the personal information of users on the internet.

I hope he goes to jail.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: phpBB Hacked

Post by Benjamin »

Yeah, I think it's neat how he was able to get root, but posting the database online was just plain ignorant. If he was really good, no one would have ever known he was in there.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: phpBB Hacked

Post by VladSun »

astions wrote:Yeah, I think it's neat how he was able to get root, but posting the database online was just plain ignorant. If he was really good, no one would have ever known he was in there.
Did he get root? I don't think so.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: phpBB Hacked

Post by Benjamin »

He had the /etc/passwd file, close enough if he didn't. Also had numerous other system passwords.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: phpBB Hacked

Post by VladSun »

/etc/passwd is world readable - it's not interesting, while /etc/shadow is more interesting, but it's root only readable.
I think all of the passwords mentioned there are just PHPBB* user passwords, not system ones (except for some DB passwords).
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: phpBB Hacked

Post by Benjamin »

I see your point, I think the point to consider is that he was able to access the database which allowed him to peruse user data.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: phpBB Hacked

Post by alex.barylski »

phpList...I have looked at/attempted to modify that codebase so many times in the past only to bang my head against a hard desk...LOL...I'm amazed anyone other than the original developer could find security holes. At the same time, I'm not even slightly surprised it's full of exploits.

Posting user details on the Internet was just ghey...it would have been respectable to inform the devs (phpList and phpBB) and ask for some kind of recognition that he could use on a resume or something.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: phpBB Hacked

Post by Benjamin »

kaisellgren wrote:so should I turn him in?
Might as well just turn him in for being a moron and posting user details. It would be different if it was a video game, source code or something.
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: phpBB Hacked

Post by André D »

This clearly violates responsible vulnerability disclosure. I only skimmed over the post, but I didn't see anything about him trying notify the software vendors of the exploit before he told the world about it.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: phpBB Hacked

Post by matthijs »

I'm no lawyer but posting thousands of people's personal data (emails, usernames etc) online is certainly illigal in most countries.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: phpBB Hacked

Post by Mordred »

While the guy did a stupid thing with those passwords, the phpBB guys did an even stupider thing with not following phpList news. It's a bad thing to have an unpatched 0day for two weeks (WTF by the way - two weeks to patch a RFI?), but well, noone can be (well) protected against 0days. To leave a known vulnerability for two days on a high-profile site is just plain stupid.

Also, while I don't condone the actions of this guy, these password will come handy to my research. :twisted:

Kai, I didn't understand: what hints did you get at who this guy is?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: phpBB Hacked

Post by josh »

Did he actually interupt anyone's life? Does't sound like it. I think he should have to pay up for the costs of any monetary damage he did
Post Reply