The project website of one of the most popular open source bulletin boards, phpBB, has suffered a major security breach that has resulted in the exposure of 400,000 e-mail addresses. A hacker has obtained access to both the forum and mailing list databases by exploiting an unpatched vulnerability in the PHPlist newsletter software.
The PHP Bulletin Board, better known as phpBB, is one of the most widely used applications for managing online forums. The software is open source and is released under the GNU General Public License, thus completely free. It is written in PHP and supports eight different SQL backends, including the most popular ones.
The phpBB.com website was still offline at the moment this article was being written. An announcement on its main page informs users that "We are sorry to report that we have been attacked through a vulnerability in an outdated PHPList installation. phpBB.com and related sites will remain unavailable while we work to recover."
A more detailed communique has been posted on a temporary support forum set up by the phpBB.com admins. "The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly," "Marshalrusty," the phpBB Support Team leader, writes. "It is important to stress that no vulnerabilities have been found in the phpBB software itself," he adds.
PHPlist is a separate application and open source project, and is not affiliated with phpBB. The software can be used to create and administer mailing lists. The administrators of the phpBB.com website have been using it to maintain a newsletter system that has been allowing them to announce updates. A serious vulnerability has been discovered and patched in the PHPlist software, however the phpBB staff have been late in deploying the update. "We were only 3 days late, and were compromised as a result of it," a Support Team member, going by the handle "iWisdom," notes.
Meanwhile, an unknown self-declared hacker has set up a blog and taken credit for the security breach. Giving his detailed explanation and proof consisting of SQL dumps of database tables, as well as snips of the configuration files for both the PHPlist installation and phpBB official forums, it is very likely that his claim is accurate.
In the single post on the newly created blog, entitled "Hacked PHPBB(dot)COM," the hacker points out that he has used a PoC (proof of concept) exploit for the PHPlist vulnerability, which was published on the Milw0rm exploit tracker, and then has employed the newly gained server access to hack into the phpBB forum database too. "So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam," he ironically adds.
"And now it comes to an end, you may ask why did I do this? For fun mainly, but what I would like to suggest to the team at phpbb is this. If you are going to run third party scripts, either integrate them or keep up to date on their patches," the attacker explains. "phpbb, i did not alter any files on your server, everything i gained access to has been listed in this blog," he maintains.
Ironically, this incident could have been easily avoidable even without upgrading to the new PHPlist version. As explained in an advisory published on the PHPlist website, mitigation can also be achieved by adding a single line to the index.php file of the application. "We apologise for not securing our servers in time to prevent this from happening. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine," the phpBB staff note in their communique.
Update: We have been contacted by "Kellanved," one of the phpBB developers, who was kind enough to point out that the attack on phpBB.com occurred before the patch for the vulnerability was released. "We have established that the attack began within hours of the exploit getting published, on January 14th - well before any patch was available," the developer wrote in an e-mail to Softpedia.