Slashdot Mirror

← Back to Stories (view on slashdot.org)

phpBB Forum Down After Defacement

Posted by Zonk on

kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

49 comments

  1. Meanwhile by Anonymous Coward · · Score: 0

    Perl forum still up and running. Conclusion? Obvious.

    1. Re:Meanwhile by isn't+my+name · · Score: 5, Informative

      Perl forum still up and running. Conclusion? Obvious.

      It says they write more careful--or less widespread--perl.

      The awstats exploit that was used here makes use of poorly written perl that failed to validate user input. Of course, had you read the article, you would know that.

    2. Re:Meanwhile by Anonymous Coward · · Score: 0

      The awstats exploit that was used here makes use of poorly written perl that failed to validate user input.

      WTF is so hard with validating user input?? Never heard of CPAN?

      Of course, had you read the article, you would know that.

      Of course, I had so much time during that minute between posting the story and posting my comment, riiight...

    3. Re:Meanwhile by DikSeaCup · · Score: 1
      Of course your comment about "poorly written perl" could be more general.

      As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.

      --
      I talk about stuff.
    4. Re:Meanwhile by JFitzsimmons · · Score: 2, Informative

      Pfft... it says right in the slashdot summary that the cause of the security flaw was AWStats, not the forums themself (or the php language itself, which far too many people have needless grudges against). I assure you, there are plenty of secure php pages out there, and plenty of insecure perl pages out there. It depends on the coder.

      --
      Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
    5. Re:Meanwhile by wizbit · · Score: 3, Insightful

      It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location. But this is why we chroot jail CGI scripts and avoid stupid use of system calls.

    6. Re:Meanwhile by Anonymous Coward · · Score: 0

      It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location.

      It's not a bad practice of perl persay.
      Anyone worth his salt in gold will:

      1. Always use taint mode in CGI scripts
      2. USe 3-argument open()
      3. Therefore be safe

      Your point again?

    7. Re:Meanwhile by DikSeaCup · · Score: 1
      Didn't mean to imply that it was a buffer overrun, just that there's a lot of code out there that can be considered "poorly written".

      Course, I shouldn't really knock it - I'm not a programmer (I just make things go).

      --
      I talk about stuff.
    8. Re:Meanwhile by Anonymous Coward · · Score: 0

      Didn't mean to imply that it was a buffer overrun,

      But you did.

      just that there's a lot of code out there that can be considered "poorly written".

      How do you know if you don;t even know what stack smashing is (hint: buffer overflow does not have to be exploitable) or how Perl scalar strings work for that matter?

      [of] Course, I shouldn't really knock it -

      Fair enough.

      I'm not a programmer

      It shows.

      (I just make things go).

      Yeah, right.

    9. Re:Meanwhile by Anonymous Coward · · Score: 0

      And whilst the awstats exploit was out for nearly two weeks, you have to wonder why they didnt patch theirs.... Its their OWN fault!

    10. Re:Meanwhile by Anonymous Coward · · Score: 0

      He didn't imply that this was a buffer overrun, you read too much into his comment. You are insulting him for a number of shortcomings that aren't apparent from his comments. Do you know him personally, or are you just an arsehole?

    11. Re:Meanwhile by Anonymous Coward · · Score: 0

      LOL! An AC defenfing the honour of a slashdotter? Stop talking about yourself in 3rd person, DikSeaCup!

    12. Re:Meanwhile by Anonymous Coward · · Score: 0

      WTF is so hard with validating user input?

      Ask the awstats people that. It still has absolutely nothing to do with PHP.

      Of course, I had so much time during that minute between posting the story and posting my comment, riiight...

      Which is why it would, uh, have made sense for you to post your comment a little later, like for example after reading the article. That would make you look a bit less like a blathering fanboy who can barely stop drooling long enough to type, and a bit more like, if not quite a member of the human race, then at least a primate. Well, a mammal.

    13. Re:Meanwhile by Anonymous Coward · · Score: 0

      ...and AWStats is written in Perl...

    14. Re:Meanwhile by Anonymous Coward · · Score: 0

      I know you are but what am I?

    15. Re:Meanwhile by Anonymous Coward · · Score: 0

      That's per se, not persay.

    16. Re:Meanwhile by Anonymous Coward · · Score: 0

      That's per se, not persay.

      That's "That's," not "That's."

  2. Not phpBB -- Just their server. by Ahnteis · · Score: 4, Informative

    It's sad that most sites are posting this with a headline that seems to indicate that phpBB is the problem. The SERVER was hacked through OTHER software, not phpBB. (I know I was worried about my sites until I read the article.)

    1. Re:Not phpBB -- Just their server. by Anonymous Coward · · Score: 0

      Although one can't help wondering about karma.

      when the most recent PHPBB2 flaw was being used to deface sites their initial response was to tell people that the defacements were due to similarly timed PHP bugs, not their code.

      Whilst I'd not want to see anybody compromised the headline in this case is ironic, rather than unfortunate.

    2. Re:Not phpBB -- Just their server. by Anonymous Coward · · Score: 0

      Doesn't exactly engender a lot of faith in their software, though..

  3. Lies, damn lies, pure fud by Anonymous Coward · · Score: 0

    Of course your comment about "poorly written perl" could be more general. As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.

    OK, smartass, show me just ONE example of buffer overrun in Perl. Just ONE. Put it up or shut up!

    1. Re:Lies, damn lies, pure fud by Anonymous Coward · · Score: 0



      http://www.auscert.org.au/render.html?it=1887

    2. Re:Lies, damn lies, pure fud by Haeleth · · Score: 1
      OK, smartass, show me just ONE example of buffer overrun in Perl. Just ONE. Put it up or shut up!

      Okay, smartarse, show me just ONE SENTENCE in his post where he made any comment that implys that Perl is given to buffer overflows.

      No, tell you what, I'll save you the trouble:
      Of course your comment about "poorly written perl" could be more general. As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.
      Since you appear to be unable to parse this perfectly straightforward English correctly, I'll explain: "Your comment could be more general" means "bad code is written in other languages as well as Perl". The reference to buffer overruns is an example of a form of bad code that is common in these more general cases.
    3. Re:Lies, damn lies, pure fud by Anonymous Coward · · Score: 0

      I was asking about perl, not suidperl! Suidperl is not only an independent program but has been deprecated for years. Also, a NINE YEARS OLD VULNERABILITY??? WTF! Couldn't you possibly find anything even LESS relevant? I doubt it!

    4. Re:Lies, damn lies, pure fud by Anonymous Coward · · Score: 0

      I am also unable to parse a slightly less perfectly straightforward English...

      Syntax error: implys

      Sorry. Couldn't read any further.

    5. Re:Lies, damn lies, pure fud by Malek+the+Damned · · Score: 1

      Turn Strict off and try it again, buddy... =)

  4. Worms then.... by djsmiley · · Score: 1, Interesting

    I wonder how long until a worm comes out to take advantage of this....

    its always interested me, from the time my works php site was over run via a googling worm.
    And how you always hear that it takes xhrs after a flaw is found, for someone to start using it.

    --
    - http://www.milkme.co.uk
  5. That's why I never use by Anonymous Coward · · Score: 0

    mod_php.o in httpd.conf even if preinstalled - just comment it out and everything runs faster with smaller memory foot print - a win-win scenario for me.

    1. Re:That's why I never use by Anonymous Coward · · Score: 0

      Try reading the summary, dumbass. The hole was in a perl script, not php.

  6. [tt] Learn how to patch! by CodeRed · · Score: 1

    If they would have properly managed their systems, none of this would have happened.

    --

    --
    CodeRed, the lower user #. No relation to SirCam.
  7. They had it coming by Anonymous Coward · · Score: 0

    If anyone is frivolous enough to still use php when there is rock solid perl 5.8.6 available then one is basically asking to be rooted if you ask me.

    1. Re:They had it coming by Anonymous Coward · · Score: 1, Insightful

      Did you even read the article? They exploited AWStats, a Perl script.

    2. Re:They had it coming by Anonymous Coward · · Score: 0

      Did you even read the article?

      You must be new here.

  8. Many vulnerable AWStats sites on google by lhaeh · · Score: 2, Informative
    A coursoury check of google suggests that there are many people who haven't patched yet: it lists the version number at the bottom of the statistics page.

    AWStats is a very popular tool, google returns likely 4,490 users. This could be as bad as one of the old ISS vulnerabilities. With any luck, the publicity generated by incidents like this one will be a warning to those still running vulnerable version.

    1. Re:Many vulnerable AWStats sites on google by javaguy · · Score: 1

      "This could be as bad as one of the old ISS vulnerabilities. "

      What's wrong with the International Space Station? ;)

  9. The new 'underbelly' of IT.... by TeeJS · · Score: 1
    and open source in particular will be keeping up with all of the known holes and their fixes. I subscribe to three different security announcement listserves, and I still didn't hear about a patch for Mambo OS until I went to the forums looking for an answer on a stupid question. If I hadn't gone to the forums (I don't too often) I'd still be unpatched.

    I'm not sure what the answer is, but with the diversity in my network I could spend a whole day each week looking for issues on the services I run...

    --
    T.J. Schmitz - the man, the myth, the legend - o
    1. Re:The new 'underbelly' of IT.... by macdaddy · · Score: 1

      This is why I subscribe to the announcement list of all major software packages I use. Or, alternately, I subscribe to the security bulletin list if they offer one. I also chastise the authors when they abuse the announcement list for something that's not an announcement. Yes, it's their list and their software, but they are greatly damaging their program's viability in a security conscious market by making it harder to get timely security bulletins. I don't sort announcement list mail either, or if I do post process it, I'll archive a copy in it's own directory and keep a copy in my regular inbox so I have to see it. It works for me. I've managed to keep up with all the systems I've managed and I haven't been hacked yet (knock on wood VERY loudly). I won't say that it's been easy though. It's just part of the job. The important thing here is to make sure this everyday piece of your job isn't overlooked by management. "Oh, he spends half his day surfing the web and reading email. He's not doing anything important." Right... Nothing important. :-)

  10. How long by Anonymous Coward · · Score: 0

    before people fibally get it that php is not for secure production mission critical environment? Another exploit, big deal. Just use secure software and get over it. Jeez.

    1. Re:How long by Anonymous Coward · · Score: 0

      Try reading the summary, and then the article if you still don't have a clue.

      The exploit was the result of a poorly coded perl script. It had nothing to do with php.

  11. Good point by Anonymous Coward · · Score: 0

    How long before people finally get it that php is not for secure production mission critical environment? Another exploit, big deal. Just use secure software and get over it. Jeez.

    Very good point. Unfortunately, there are literally tons of php fanboys always trying to force their little toy upon our throughts, even though /. itself is php-free, lol.

  12. What's the big deal? by Anonymous Coward · · Score: 0

    Yet another hole in a blog toy php system: film at 11. Booooooriiiiing.

    1. Re:What's the big deal? by Anonymous Coward · · Score: 0

      The bug was in AWStats, which is a Perl script you dumbass. If you had bothered to read the article you would have known that.

    2. Re:What's the big deal? by Anonymous Coward · · Score: 0

      ... you dumbass. If you had bothered to read the article ...

      You must be new here.

  13. OT But... by macdaddy · · Score: 1

    I like the tutorial. I'll have to point that out to some folks I just switched over.

  14. How long by Anonymous Coward · · Score: 1

    before people finally understand that web developers shouldn't be writing code in any languages lower level than javascript? The security of production mission critical systems shouldn't be put into the hands of Dreamweaver jockeys.

  15. What? by MrWa · · Score: 0

    What department was this from again?

  16. Fucking Rediculious by Surye · · Score: 1

    After reading nearly 10 "OMFG HAHAH PHP IS TEH SUCK" comments on a story about a mature perl script with a bug makes me sick. I swear, /. is getting worse. Not that the headline is helping the missleading thoughts...

  17. *shakes head* by Malek+the+Damned · · Score: 2, Insightful

    I'm not sure whether it's hilarious or very, very sad that this is just turning into a huge "php sucks, ha ha, use perl instead you n00bs" thread.

    It's actually throwing a bad light on perl developers (and I am one, so I'm not flaming here) that they can't even be bothered reading even the _summary_ and see it was the perl function open() in AWstats that got used to exploit the server, not a php script.

    Personally, I code in perl and php. I use whichever's right for the task, and like 'em both.

    Oh, and I code my perl and php in Dreamweaver MX, too. Under Wine.

    *cue flaming*

  18. OMG! by Anonymous Coward · · Score: 0

    A website got defaced?! Amazing! /sarcasm

    I always figured /. was a news portal, not a security mailing list. Stuff like this happens all the time, why is this one news? Because a semi-popular site was defaced, even though it's content was unrelated to the hole? I mean, with any malicious exploit that get's used before a patch is made, there are victims. Nothing new here. The parent isn't even worth the bandwidth it used.

    Bah humbug.