

PhpBB's site hacked - geuis
http://www.phpbb.com/index.php


======
anuraggoel
Here's some more information:

[http://area51.phpbb.com/phpBB/viewtopic.php?f=71&t=29973...](http://area51.phpbb.com/phpBB/viewtopic.php?f=71&t=29973&sid=9d7cb17a409f8ca8bcc62c35748a52af)

<http://community.mybboard.net/thread-44513-page-1.html>

 _phpBB.com website was hacked through a vulnerability in an outdated version
of a third-party script called PHPList. PHPList is used to manage the Mailing
list on phpBB.com (the website). The hacker got in and compromised the rest of
the server through that vulnerability including the phpBB.com forums.
Information about this vulnerability and the security update that patches it
is here:<http://www.phplist.com/?lid=274> If you or anyone you know is running
PHPList, it is vital that you notify them of the security update immediately.
It is important to note that the phpBB.com website was not hacked through a
phpBB(3) vulnerability and there are still no known vulnerabilities within
phpBB3. phpBB.com is back online which explains this in summary. (If you
previously visited phpBB.com, you may need to refresh your DNS cache to see
the site)._

Except that it isn't back online yet.

------
leftnode
This sucks. I've been a fan of phpBB for a while now as a free bulletin board,
and it always sucks when some asshole hacks your site and screws stuff up for
a while.

I know they should've kept the installation up to date, but you could probably
say that about tons of other companies.

~~~
queenzeal
The attack took place on January 14th, per the blog. The patch was released on
January 29th, per this:

<http://www.phplist.com/?lid=274>

Based on that, they very well could have been up-to-date when they were
hacked. As such, to chide them on it seems inappropriate.

------
tdavis
I'm pretty surprised it wasn't hacked via a vulnerable installation of phpBB.

~~~
kailashbadu
Contrarily, I would have surprised had it been hacked through a vulnerability
in PHP. For two reasons.

1) as the custodian of the forum software, I wouldn’t expect them to keep a
vulnerable edition of the software in the production server.

2) PHPBB3 is assumed to have come of age compared to the notoriety that PHPBB2
was.

------
bbuffone
I ended up shutting down my phpBB forum because it took too much time to weed
out all the porn and spam. Forum is now a yahoo group and have had no
problems.

~~~
Jem
phpbb2 and phpbb3 are worlds apart.

A forum I 'run' for a client used to get up to 200 spam users a DAY with
phpbb2, but since upgrading to phpbb3, it's not had a single one.

