Forum owners beware

Lefteris_D

Lefteris_D

Administrator
Staff member
Badger said:
It says its only effecting phpBB, but my invision board got several skins infected by it, rendering them useless.
Click to expand...
The "Highlight Vulnerability" on phpBB was announced by the phpBB team days ago and a bugfix edition was released. Anyone that did not update their forum software just had it coming.

The bug however is not phpBB related exactly but a bug in PHP functions used by phpBB(and IPB and vb etc etc). All PHP versions prior to 4.3.10 & 5.0.3 can be expoited.

The Emulator Zone Forum(along with everything else on the server) needs no patching as PHP was updated yesterday.


JAPPsmash said:
So my phpbb board is doomed, right?
Click to expand...
You have one of those "hosted" boards so your host is responsible for the updates. You can do nothing about it.
 
Jale

Jale

Active member
Lefteris_D said:
You have one of those "hosted" boards so your host is responsible for the updates. You can do nothing about it.
Click to expand...

OK, now I can live in peace :my_rambo:
 
Jale

Jale

Active member
Actually I have 2 phpbb forums. One is recent (the one you said "You and your 1 registered user!") and the other one is 1 week old and I already have 11 registered users.
 
Badger

Badger

New member
Lefteris_D said:
The "Highlight Vulnerability" on phpBB was announced by the phpBB team days ago and a bugfix edition was released. Anyone that did not update their forum software just had it coming..
Click to expand...


Had it coming?

Suprisingly I don't check my forum software for updates every other day. Is this unusual or something?
 
Lefteris_D

Lefteris_D

Administrator
Staff member
Badger said:
Had it coming?

Suprisingly I don't check my forum software for updates every other day. Is this unusual or something?
Click to expand...
I check for updates every 3-4 days and the message was available at phpbb.com since November 18(click).

As for a warning about the PHP exploits several bulletin board makers made an official announcement: phpBB, vBulletin, SMF. There were also several user created threads in all the official board manufacturer sites.

Any person that had the ability to patch their forum software or upgrade PHP and simply did not do it had it coming.

This time it was not a hacker that did a specific attack but a worm that started attacking everything it could. That only teaches us to keep an eye on certain updates.
 
Last edited:
GHDpro

GHDpro

Administrator
Staff member
Aw come on, I didn't know the problems were this severe until only a few days ago.

And while the main server software is now up-to-date on a few of my servers, I hope
there are no major bugs in the other software (FTP, SSH, Kernel, etc) as I don't exactly
check for updates for those... ever. On some servers I do occasionally run "yum update"
though, but I'm not sure how fullproof that is.

Ah welll, at least I got a firewall running, which at least limits the possible hack attempts
to services that are actually used.
 
Lefteris_D

Lefteris_D

Administrator
Staff member
GHDpro said:
Aw come on, I didn't know the problems were this severe until only a few days ago.
Click to expand...
The only files that could have caused the problems were Invisionboard(gone) my forum(pathed days ago!), Burning Board(almost gone) and phpMyAdmin(private directory).

If I knew you had phpBB installed(which you don't) I would have started bugging you as usual when it comes to security issues.
 
Badger

Badger

New member
Lefteris_D said:
I check for updates every 3-4 days and the message was available at phpbb.com since November 18(click).

As for a warning about the PHP exploits several bulletin board makers made an official announcement: phpBB, vBulletin, SMF. There were also several user created threads in all the official board manufacturer sites.

Any person that had the ability to patch their forum software or upgrade PHP and simply did not do it had it coming.

This time it was not a hacker that did a specific attack but a worm that started attacking everything it could. That only teaches us to keep an eye on certain updates.
Click to expand...


I use the icon in the IPB admin panel to tell me if updates are available, as far as I know there wasn't any until at maximum 4-5 days ago, which was the last time I logged in the admin panel. I had no idea about this worm, until it was to late. Obviously the forum software has now been patched.
 
Lefteris_D

Lefteris_D

Administrator
Staff member
Badger said:
I use the icon in the IPB admin panel to tell me if updates are available
Click to expand...
That means that IPS remembered to update the script on their server. The message means that IPB2 is out...

It will only change when major versions are released 1.2 >> 1.3, 1.3 >> 1.3.1 etc

How they forgot to update the system to show that 2.0.x was out for that many weeks I don't know.

If you REALLY want to know about security releases better look here for news: http://forums.invisionpower.com/index.php?showforum=1


I also have to remind you that IPB does not have any automatic patching systems so you have to apply the patches yourself. Also, the 1.3.x series has been discontinued. To be secure you need the 2.0.x series.
 
Last edited:
You must log in or register to reply here.
Top