Slashdot Mirror

← Back to Stories (view on slashdot.org)

phpBB Forum Down After Defacement

Posted by Zonk on Tuesday February 8, 2005 @07:13AM

kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

3 of 49 comments (clear)

Min score:

Reason:

Sort:

Re:Meanwhile by wizbit · 2005-02-08 07:41 · Score: 3, Insightful

It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location. But this is why we chroot jail CGI scripts and avoid stupid use of system calls.
Re:They had it coming by Anonymous Coward · 2005-02-08 09:01 · Score: 1, Insightful

Did you even read the article? They exploited AWStats, a Perl script.
*shakes head* by Malek+the+Damned · 2005-02-08 20:44 · Score: 2, Insightful

I'm not sure whether it's hilarious or very, very sad that this is just turning into a huge "php sucks, ha ha, use perl instead you n00bs" thread.

It's actually throwing a bad light on perl developers (and I am one, so I'm not flaming here) that they can't even be bothered reading even the _summary_ and see it was the perl function open() in AWstats that got used to exploit the server, not a php script.

Personally, I code in perl and php. I use whichever's right for the task, and like 'em both.

Oh, and I code my perl and php in Dreamweaver MX, too. Under Wine.

*cue flaming*