The first rule of phpBB security holes is that you do not talk about phpbb security holes.

I used to have a phpbb3-powered bulletin board. It ran pretty well, apart from always having to delete spam users who were actually Russian robots. A while back they released a huge security update. There’s usually an “easy” upgrade method and a “full” upgrade method. My board is pretty much bone stock, but for some reason “easy” never works. So I spent all night crawling through lines of code in the php and in my SQL database looking for the commands the updater was trying to run and figuring out why they weren’t working, and then manually executing the commands myself. This took hours, but I finally got the board updated to 3.0.6. Almost immediately thereafter, the board was hacked, probably by a robot looking for boards running 3.0.6, and probably through some exploit that I had just exposed our board to by doing this laborious update. Now, every time you try to access our forum, or post something, you get redirected to a hot celebs site in India, and then firefox shuts down the page and flashes a huge red warning about an “attack site” and all you can do is click “get me out of here!” Awesome. So glad I ran that security update.
So when this happened several months ago, I did the only sensible thing that I had time to do. I logged in, disabled the board in the admin control panel, and then changed the permissions on that folder on my server to whatever the Unix equivalent of “everyone in the world can piss off” is. Alright, so the board was broken but at least things couldn’t get any worse. I put it on the back burner until I had time to troubleshoot.
Recently I tried to see if I could resurrect the board. Turns out, I can’t. I deleted every file in the phpbb3 folder and then reinstalled the board from a clean download of the latest version, and yet still every time you try to post to the forum you get redirected to some celebs site in India. Fan-frickin’-tastic.
I did some Googling and found one other user experiencing the exact same problem with the exact same redirect. Joyously I clicked on the forum hoping to find a solution. I was crushed to find that the user’s post had been slapped down with a standard “file a bug” reply and didn’t offer any actual information on how to go about repairing the damage. Worse, the information that they asked for in the bug report is info that I just don’t have access to. Things like server access logs and the original board files that I deleted before I went to the forum looking for help. I couldn’t reply to that thread because it was locked, so I started a new thread and said “Hey, I have the same problem, I don’t have what they’re asking for here, but has anyone else been able to repair their board after this type of attack?” Within a few minutes, my topic had the same canned “file a bug” response and was locked. LOCKED! I’ve seen a lot of conversations go way off topic for page after page but I rarely see forums being locked, especially when people are being civil and playing nice.
Apparently, phpBB doesn’t want anyone knowing about the security holes that their current board versions have, and they don’t want their users knowing how to fix these problems on their own. Nor do they even want users talking with each other about how to fix the problem. I found it kind of odd that a forum software company would be so bent on squashing the power of community.
Actually, I’m pretty pissed about it. So I blogged. Yeah.

Update: I was wrrrrr… wrooooorrrr… hang on a second…  I was wurrrurrrrr… dammit! I provided information earlier based on assumptions that proved to be…wrrrrr…erroneous. Ok, I can admit it. Turns out, the security hole was not in phpBB, but rather in a combination of software, mainly a certain web browser plugin and a certain FTP client who ended up exposing my FTP password to nefarious agents. These agents used my password to alter the .htaccess file in the root of my server and caused it to redirect to 4safe.in. The fact that it was a forum that was redirected is incidental. It could have been any web content. It was an easy fix though, and it wouldn’t have been any skin off the phpbb folks to just tell people what the problem was and let them go fix it. Furthermore, the files that phpBB asked for would not have led to a solution to the problem, as they did not ask for the .htaccess file that lies outside the phpBB3 folder. Alright, so if you find your site redirected to: http://4safe.in/in.cgi?4&parameter=sf the first thing you should do is look at your .htaccess file and delete the reference to that site. AND CHANGE YOUR FTP PASSWORD FOR CHRISSAKES. And probably get a new FTP client. Now the solution is published somewhere on the web. My work here is finished.


1 Response to “The first rule of phpBB security holes is that you do not talk about phpbb security holes.”

  1. 1 dgatwood
    May 13, 2012 at 11:28 pm

    No, the correct thing to do is NOT USE FTP. The FTP protocol is, by its nature, fundamentally insecure. It has no encryption, which means your passwords are flying across the public internet where anyone in the right place can sniff them and masquerade as you.

    A properly designed web service company should either provide:

    * WebDAV over HTTPS—a web-server-based protocol for accessing and modifying files on a remote machine. When served over an HTTPS connection, this is secure. When served over an HTTP connection, your login might be secure (if they use digest auth or client certificates), but the data you send is not. Don’t send or receive password files using WEBDAV unless it is served over HTTPS.

    * SFTP—a protocol based on SSH (and almost completely unrelated to FTP) that allows you to *securely* add and remove files.

    * SSH/SCP—another protocol used for logging in to remote machines; SCP can be used to push/pull files, albeit a bit more clumsily; SSH can be used to log in and modify files on remote machines using command-line editors, or you can push/pull files in large quantities by combining ssh and tar.

    * AFP or SMB—file server protocols that allow secure authentication. (Your files are still sent in cleartext across the wire, though, so don’t use this to copy password files.)

    FTP should basically die already. No one with an ounce of security sense should still allow FTP on their servers in this day and age. Most sensible organizations banned non-anonymous FTP by the mid-to-late 1990s.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: