By Harry Fuecks

Attack of the killer BBs

By Harry Fuecks

You may have picked this up already but if not, it’s time to think about phpBB and security again. A couple of relevant links – Bot Authors Targeting phpBB Forums and phpBB mass hack being prepared?.

Without wishing to say anything bad about phpBB, would strong recommend investigating alternatives. Two of note – Fud Forum who’s main developer is Ilia Alshanetsky, author of this PHP security book and PunBB, which is noteworthy given that these guys use it. Both have tools to help migrate from phpBB.

  • Ed

    That “mass hack” is nothing more than hot air. It’s a spambot, so what? It’s about as likely to occur as Duke Nukem Forever

  • dhn

    Yes, because we all know that everything we read on the internet is true. Seriously, stop spreading unconfirmed rumours.

  • BryceW

    Ultimate bot defence: Visual Confirmation during regisration = On

  • Derick

    It still doesn’t make phpBB great software. FUDForum for me any day over this pile of poo.

  • Ed

    Wow, if you say FUDForum > phpBB you really must have no clue.

  • Anonymous

    Haha, you must be Derick Rethans :) Always there gain some respect from the community :)

    Anyway. This could have happened to any board and all this bot is doing is spamming some anonymous proxy service. It seems to be only ‘attacking’ forums that don’t have visual confirmation. The forums that Harry mentioned don’t seem to have visual confirmation enabled (some ASCII art is not going to stop a bot, nor is email confirmation).

    Calling phpBB ‘a pile of poo’ is not really going to help anyone here. Sure there have been problems with phpBB but that’s the same with the other boards out there, the main problems with phpBB are that it’s used far more than these other boards and it’s also used by a lot of users that install it and then they don’t update it for the next 10 years. Same thing with IE vs FF or Windows vs OS X. One isn’t that much more secure or insecure than the other, it’s mostly a matter of installed userbase.

  • Ah, filling in your account details doesn’t log you in if you just hit ‘submit comment’ :)

  • I know phpBB is very popular and I don’t want to knock it per-se – it’s a project built largely on volunteered time, as far as I know, and it’s successfully produced an application people like to use. For that in itself it deserves a great deal of credit.

    That said, let’s focus on what we know here;

    1. Someone is targetting phpBB: it’s a big enough target to be worth it.

    2. phpBB doesn’t have a good record on security.

    a) There have been a number of significant security problems in the past

    b) from my memory (can’t find link discussing this) a security hole found around the time of the Santy worm was re-introduced in a later release

    c) Stefan Esser of Hardened PHP has highlighted issues about the way management of security issues handled by the phpBB project. Whatever you’re feeling may be about Stefan, I find the points he’s raised here compelling.

    3. So far this bot has registered a significant number of accounts on forums around the web. In some cases it also posted comments on the forums. So far it appears it’s only purpose is for traffic generation / pagerank.

    But while this stuff isn’t rocket science, this does imply a level of technical expertise from the attacker that could be applied to do more harm than just spamming. If phpBB were to have a security hole that requires an account to exploit, the groundwork has been done.

    At the very least phpBB forum owners need to be made aware, delete anything the bot created and consider measures to defend against it.

    Visual Confirmation during regisration = On

    I guess that’s probably a good start.

    4. No major damage has been done yet, other than a little diskspace and bandwidth wasted. So to that taking about an impending “mass attack” could be regarded as FUD, were it not for precedents. So getting people to pay this some attention makes sense.

    Otherwise this topic raises the subject of how potential users evaluated Open Source applications, which I’ll do another time.

  • Stefan Esser

    Soon I will post information about another way to bypass phpBB’s register_globals deregistration layer. Unlike the last time this will work on all PHP versions.

    And because the stupid guys at phpBB did not use my patch to fix the signature_bbcode_uid remote code execution issue last time, but came up with their own patch this means this time remote code execution exploits are possible against all phpBB servers running with register_globals=On. (Ohh yeah we know how unlikely this configuration is in reality….)

    (Ohh did I mention, that their security tracker still doesn’t list the vulnerability at all)

  • Harry, don’t tell me you haven’t heard of SimpleMachines Forums?!
    they have a strong record of security!
    Secunia should give you an idea!

  • lajkonik86

    I’m not certain but i think the bots are able to bypass the visual confirmation thingie in its current state

  • Pingback: SitePoint Blogs » Evaluating PHP Applications()

  • I am a huge fan of PunBB, it’s a great piece of software. The code is easy to work with as well. There have been some really large security risk, but they are fixed rather quickly and in a timely manner. I’d recommend it to anyone.

  • Ed

    (Ohh did I mention, that their security tracker still doesn’t list the vulnerability at all)

    Maybe because they’re all hidden until a team member decides to write a report for it?

  • Ian T

    Speaking as a developer of a (different) OSS project that uses phpBB on their forum, I have to say that I find the comments here by Stefan far below what I would expect from someone who sells themself as a “security expert”. If you find a security issue, you report it to the developers of that software – you don’t go posting unfounded accusations on random sites.

    I actually took the time to look before posting and I see a line in their changelog noting a security fix with his name against it – hardly unlisted now is it? Although that said, I see another reporter listed as well, so it Stefan’s attitiude was anything like here, I’d not be surprised if they choose to pay more attention to that other reporter than to him. He generally comes over as bitter that someone possibly didn’t listen to him for whatever reason (we don’t know what unless one of the phpBB developers decides to comment) rather than acting anywhere near the impartiality I’d expect to see given what he claims about himself

    Anyway, rant over my comment on the original purpose of the article – as one of the others noted it seems to be a load of hot air, phpBB has a visual confirmation option which stops the majority of the automated registrations in my experience. If people have decided not to use it, that is their choice.

  • zonked

    Ian T – I know you’re deeply and personally offended but:
    1. Stefan Esser actually is a security expert, though it doesn’t surprise me if you don’t know of Hardened-PHP. Seems like a lot of phpBB aren’t aware of security issues in PHP and patches that exist to close the most common holes.

    2. When you know what you’re talking about you can afford an attitude. Nobody is asking phpBB developers to sit down for beers with Stefan, just take into account what he points out. They obviously don’t know what they’re doing and not listening to good advice (even if it’s a bit bitchy) is simply stupid.

    3. It’s not just hot air. I know of at least one site where the whole box got taken over through a phpBB exploit. If you can’t see what other ways there are to exploit this hole aside from spamming then you need to listen instead of rant.

  • I second charmedlover’s last post :D

  • 마케터

    게시판 관리자님 허락없이 글 올려서 죄송합니다

    님의 게시판 성격에 맞지않는 글이라면 삭제해주세요 비번은 12345입니다

    글 등록을 원치 않으시면 상기 이메일이나 (로 님의게시판
    주소(url)을 송부해주시면

    확인즉시 두번다시 등록되지않도록 바로 조치하겠습니다.

  • Not much on my mind right now, but it’s not important. I’ve just been letting everything happen without me. I just don’t have anything to say right now.

  • Not much on my mind right now, but it’s not important. I’ve just been letting everything happen without me. I just don’t have anything to say right now.

  • Hello there! Just want to say that I find your site enough interesting for me. Usefull information and all is good arranged. Thank you for your work. I will visit your site more ofter from now and I bookmarked it.

  • Not much on my mind right now, but it’s not important. I’ve just been letting everything happen without me. I just don’t have anything to say right now.

  • This is a wonderful wealth of information. Good Luck!

  • Pingback: ZillionBits-Its about number$ and technology » Evaluating PHP Applications()

  • I wantto insure the machinehas found a site
    who triedsite-
    [url=]insurance-international-medical[/url] Or here

  • Thanks+so+very+much+for+taking+your+time+to+create+this+very+useful+and+informative+site.+I+have+learned+a+lot+from+your+site.+Thanks%21%21

  • 十字绣

    I just wanted to write and tell you that I think the book is WONDERFUL! I am loving it.

  • jack

    I just wanted to write and tell you that I think the book is WONDERFUL! I am loving it

Get the latest in Front-end, once a week, for free.