phpBB Forum Down After Defacement

kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

Not phpBB -- Just their server.

[Ahnteis]

It's sad that most sites are posting this with a headline that seems to indicate that phpBB is the problem. The SERVER was hacked through OTHER software, not phpBB. (I know I was worried about my sites until I read the article.)

Re:Meanwhile

[isn't+my+name]

Perl forum still up and running. Conclusion? Obvious.

It says they write more careful--or less widespread--perl.

The awstats exploit that was used here makes use of poorly written perl that failed to validate user input. Of course, had you read the article, you would know that.

Re:Meanwhile

[JFitzsimmons]

Pfft... it says right in the slashdot summary that the cause of the security flaw was AWStats, not the forums themself (or the php language itself, which far too many people have needless grudges against). I assure you, there are plenty of secure php pages out there, and plenty of insecure perl pages out there. It depends on the coder.

Many vulnerable AWStats sites on google

[lhaeh]

A coursoury check of google suggests that there are many people who haven't patched yet: it lists the version number at the bottom of the statistics page.

AWStats is a very popular tool, google returns likely 4,490 users. This could be as bad as one of the old ISS vulnerabilities. With any luck, the publicity generated by incidents like this one will be a warning to those still running vulnerable version.