Slashdot Mirror

← Back to Stories (view on slashdot.org)

phpBB Forum Down After Defacement

Posted by Zonk on

kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

19 of 49 comments (clear)

  1. Not phpBB -- Just their server. by Ahnteis · · Score: 4, Informative

    It's sad that most sites are posting this with a headline that seems to indicate that phpBB is the problem. The SERVER was hacked through OTHER software, not phpBB. (I know I was worried about my sites until I read the article.)

  2. Re:Meanwhile by isn't+my+name · · Score: 5, Informative

    Perl forum still up and running. Conclusion? Obvious.

    It says they write more careful--or less widespread--perl.

    The awstats exploit that was used here makes use of poorly written perl that failed to validate user input. Of course, had you read the article, you would know that.

  3. Re:Meanwhile by DikSeaCup · · Score: 1
    Of course your comment about "poorly written perl" could be more general.

    As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.

    --
    I talk about stuff.
  4. Re:Meanwhile by JFitzsimmons · · Score: 2, Informative

    Pfft... it says right in the slashdot summary that the cause of the security flaw was AWStats, not the forums themself (or the php language itself, which far too many people have needless grudges against). I assure you, there are plenty of secure php pages out there, and plenty of insecure perl pages out there. It depends on the coder.

    --
    Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
  5. Re:Meanwhile by wizbit · · Score: 3, Insightful

    It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location. But this is why we chroot jail CGI scripts and avoid stupid use of system calls.

  6. Worms then.... by djsmiley · · Score: 1, Interesting

    I wonder how long until a worm comes out to take advantage of this....

    its always interested me, from the time my works php site was over run via a googling worm.
    And how you always hear that it takes xhrs after a flaw is found, for someone to start using it.

    --
    - http://www.milkme.co.uk
  7. Re:Meanwhile by DikSeaCup · · Score: 1
    Didn't mean to imply that it was a buffer overrun, just that there's a lot of code out there that can be considered "poorly written".

    Course, I shouldn't really knock it - I'm not a programmer (I just make things go).

    --
    I talk about stuff.
  8. [tt] Learn how to patch! by CodeRed · · Score: 1

    If they would have properly managed their systems, none of this would have happened.

    --

    --
    CodeRed, the lower user #. No relation to SirCam.
  9. Many vulnerable AWStats sites on google by lhaeh · · Score: 2, Informative
    A coursoury check of google suggests that there are many people who haven't patched yet: it lists the version number at the bottom of the statistics page.

    AWStats is a very popular tool, google returns likely 4,490 users. This could be as bad as one of the old ISS vulnerabilities. With any luck, the publicity generated by incidents like this one will be a warning to those still running vulnerable version.

    1. Re:Many vulnerable AWStats sites on google by javaguy · · Score: 1

      "This could be as bad as one of the old ISS vulnerabilities. "

      What's wrong with the International Space Station? ;)

  10. The new 'underbelly' of IT.... by TeeJS · · Score: 1
    and open source in particular will be keeping up with all of the known holes and their fixes. I subscribe to three different security announcement listserves, and I still didn't hear about a patch for Mambo OS until I went to the forums looking for an answer on a stupid question. If I hadn't gone to the forums (I don't too often) I'd still be unpatched.

    I'm not sure what the answer is, but with the diversity in my network I could spend a whole day each week looking for issues on the services I run...

    --
    T.J. Schmitz - the man, the myth, the legend - o
    1. Re:The new 'underbelly' of IT.... by macdaddy · · Score: 1

      This is why I subscribe to the announcement list of all major software packages I use. Or, alternately, I subscribe to the security bulletin list if they offer one. I also chastise the authors when they abuse the announcement list for something that's not an announcement. Yes, it's their list and their software, but they are greatly damaging their program's viability in a security conscious market by making it harder to get timely security bulletins. I don't sort announcement list mail either, or if I do post process it, I'll archive a copy in it's own directory and keep a copy in my regular inbox so I have to see it. It works for me. I've managed to keep up with all the systems I've managed and I haven't been hacked yet (knock on wood VERY loudly). I won't say that it's been easy though. It's just part of the job. The important thing here is to make sure this everyday piece of your job isn't overlooked by management. "Oh, he spends half his day surfing the web and reading email. He's not doing anything important." Right... Nothing important. :-)

  11. Re:Lies, damn lies, pure fud by Haeleth · · Score: 1
    OK, smartass, show me just ONE example of buffer overrun in Perl. Just ONE. Put it up or shut up!

    Okay, smartarse, show me just ONE SENTENCE in his post where he made any comment that implys that Perl is given to buffer overflows.

    No, tell you what, I'll save you the trouble:
    Of course your comment about "poorly written perl" could be more general. As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.
    Since you appear to be unable to parse this perfectly straightforward English correctly, I'll explain: "Your comment could be more general" means "bad code is written in other languages as well as Perl". The reference to buffer overruns is an example of a form of bad code that is common in these more general cases.
  12. Re:They had it coming by Anonymous Coward · · Score: 1, Insightful

    Did you even read the article? They exploited AWStats, a Perl script.

  13. OT But... by macdaddy · · Score: 1

    I like the tutorial. I'll have to point that out to some folks I just switched over.

  14. How long by Anonymous Coward · · Score: 1

    before people finally understand that web developers shouldn't be writing code in any languages lower level than javascript? The security of production mission critical systems shouldn't be put into the hands of Dreamweaver jockeys.

  15. Fucking Rediculious by Surye · · Score: 1

    After reading nearly 10 "OMFG HAHAH PHP IS TEH SUCK" comments on a story about a mature perl script with a bug makes me sick. I swear, /. is getting worse. Not that the headline is helping the missleading thoughts...

  16. *shakes head* by Malek+the+Damned · · Score: 2, Insightful

    I'm not sure whether it's hilarious or very, very sad that this is just turning into a huge "php sucks, ha ha, use perl instead you n00bs" thread.

    It's actually throwing a bad light on perl developers (and I am one, so I'm not flaming here) that they can't even be bothered reading even the _summary_ and see it was the perl function open() in AWstats that got used to exploit the server, not a php script.

    Personally, I code in perl and php. I use whichever's right for the task, and like 'em both.

    Oh, and I code my perl and php in Dreamweaver MX, too. Under Wine.

    *cue flaming*

  17. Re:Lies, damn lies, pure fud by Malek+the+Damned · · Score: 1

    Turn Strict off and try it again, buddy... =)