[ news_security_news ]
PhpBB And Security
SecurityProNews
Staff Writer
2006-07-28
 Insider Reports RSS Feed
A WebProWorld member's forum has been hijacked and he has asked for assistance regarding the matter.
The original post by Kgun reads:
Once again my forum, ForumNorway has been hijacked and now it is more serious. Read the content in that link before you continue.
Facts:
1. I have not upgraded to the latest version of phpBB, version 2.0.21. I use version 2.0.19. Do not give the simple answer upgrade to the last version. This problem is more serious. I will not upgrade before this problem is solved or it is documented that the old version of the code is the problem.
2. The code for phpBB is written in PHP by other people, are relatively large and it is difficult to get an overview without using much time on it. I do not have that overview. Do not give the simple answer, PHP is not secure, use a BB written in another language.
3. It is possible to steal authentication (passwords etc.) by listening in on the connection to the site by packet sniffing. I doubt that. It is also possible to hijack session ID's and place javascript code (e.g. by XSS (cross side scripting) on the server where the board code is stored).
4. Do anybody on this forum have a solution to the
Problem: How is it possible for a person to change the code without having the FTP password? Is that stolen or are there other methods by which the problems described in the above thread can happen?
Related threads:
Security in PHP and MySQL
php sessions for storing data
Hiding file part of URLs for security purposes After five days with no reply Kgun posts:No answer so long:
Here are additional information that may be of general interest:
Reply from a man at phpBB.com that tried to help me:
My question:
3. It is possible to steal authentication (passwords etc.) by listening in on the connection to the site by packet sniffing. I doubt that. It is also possible to hijack session ID's and place javascript code (e.g. by XSS (cross side scripting) on the server where the board code is stored).
Answer:
most issues with the above come from allowing html on the forum software
If you are up to date with your phpbb then usually they exploit usually by SQL Injection thus giving them access to the database..making themselves admin and removing other admins..this is a fault with mysql not php or phpbb
My question:
4. Do anybody on this forum have a solution to the
Problem: How is it possible for a person to change the code without having the FTP password? Is that stolen or are there other methods by which the problems described in the above thread can happen?
Answer:
this is usually old phpbb code , or SQL Injection and apache webserver hacking...also this can be done by exploiting any mods you might have installed as some of them have really obvious exploits
I would also need to check the database for any sql injection or other strange entries such as hidden admins.
Also your ISP would need to be notified as soon as everything is upgraded and is a secure as possible..they need to know the issues you are having and get them to look closely at the server logs for your website
Any changes leave a date and time..with the logs they can track any IP address on your website that was on at the time to hack occured He does eventually get a reply. Go to WebProWorld to read the rest of the thread and contribute your thoughts if you like.
Tag: phpBB, forum, security
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Get all the updates in RSS: 
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
