phpBB 2 usernames/passwords hacked and posted

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • Tom Finley
    Brigadier General

    • Mar 2008
    • 1303

    phpBB 2 usernames/passwords hacked and posted

    I have no idea where I should post this, so I'll let you see it and maybe a mod can move it.

    This pertains to anyone using phpBB version 2, the one available here at VodaHost. From the phpBB site (see especially the red part):

    ......................

    As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. It is important to stress that no vulnerabilities have been found in the phpBB software itself.

    We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.

    The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

    phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.

    If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.

    We apologise that we allowed this to happen by not patching vulnerable software in time. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. At this time, the team is working around the clock to restore phpBB.com and other resources.

    Thank you,

    - The phpBB Teams
    CLAMcentral.com Children's Ministry resources
    CLAMcentral's Projects Blog
    CLAMbakeonline.com Family Fun
  • Karen Mac
    General

    • Apr 2006
    • 8332

    #2
    Re: phpBB 2 usernames/passwords hacked and posted

    Thats why its worth EVERY Single penny to buy VBulletin. If you have a forum of any size.. worth keeping.. its worth having.

    Karen

    VodaHost

    Your Website People!
    1-302-283-3777 North America / International
    02036089024 / United Kingdom
    291916438 / Australia

    ------------------------

    Top 3 Best Sellers

    Web Hosting - Unlimited disk space & bandwidth.

    Reseller Hosting - Start your own web hosting business.

    Search Engine & Directory Submission - 300 directories + (Google,Yahoo,Bing)


    Comment

    • Watdaflip
      Major General

      • Sep 2005
      • 2116

      #3
      Re: phpBB 2 usernames/passwords hacked and posted

      Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum. The attack was not because of any holes/bugs in the forum itself, it was a 3rd party addon phpbb was using on their own site that allowed the hacker to get in.

      Also, technically vB isn't any more secure considering the fact that it was an addon for phpBB that caused the security flaw. All it would take is installing a poorly coded vBulletin addon and you're just as vulnerable.

      Now vB has used a salt for quite some time now, but even that doesn't prevent your password from being stolen. It just means there is an additional step needed.

      With the password from phpbb 2.x it was only passed through the md5 function to hash the password. If someone gets ahold of that hash they can run it through a process to compare it to a table of hashes that contain all possible combination of strings.. up to a certain amount of characters (called a rainbow table). Now if you have a password that is 5 characters long, there is 1,934,917,632 possible combinations (assuming a normal password type). Now not all of those have to searched to find the password, but it still takes quite a bit of time to do. If you have a 7 character password the number of combinations jumps to 10,030,613,004,288. This number grows exponentially with each additional character in your password.

      The benefit of having a salt is that if the salt is known (phpbb's website had their entire user table stolen, so the salt would have been included). if the hacker has to generate a rainbow table specific to that salt. This also takes longer to search then a generic rainbow table of hashes without salts.

      Register/Login Script
      Do you use a Password Protected Directory? Need a way to allow users to make their own account, try my .htaccess Login Script

      Comment

      • LadyEye
        General & Forum Moderator

        • Jun 2006
        • 10526

        #4
        Re: phpBB 2 usernames/passwords hacked and posted

        moved to start your own community forum ..

        Originally posted by Watdaflip View Post
        Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum.

        Now vB has used a salt for quite some time now.
        The benefit of having a salt is that if the salt is known.
        Now, I never use salt without pepper, so pass the peppa please ..

        VodaHost

        Your Website People!
        1-302-283-3777 North America / International
        02036089024 / United Kingdom
        291916438 / Australia

        ------------------------

        Top 3 Best Sellers

        Web Hosting - Unlimited disk space & bandwidth.

        Reseller Hosting - Start your own web hosting business.

        Search Engine & Directory Submission - 300 directories + (Google,Yahoo,Bing)


        Comment

        • davidundalicia
          General

          • Mar 2006
          • 6294

          #5
          Re: phpBB 2 usernames/passwords hacked and posted

          Originally posted by Watdaflip View Post
          Just wanted to point out that there is no reason to be alarmed or feel insecure about your own forum because of this attack on phpbb's community forum. The attack was not because of any holes/bugs in the forum itself, it was a 3rd party addon phpbb was using on their own site that allowed the hacker to get in.

          Also, technically vB isn't any more secure considering the fact that it was an addon for phpBB that caused the security flaw. All it would take is installing a poorly coded vBulletin addon and you're just as vulnerable.

          Now vB has used a salt for quite some time now, but even that doesn't prevent your password from being stolen. It just means there is an additional step needed.

          With the password from phpbb 2.x it was only passed through the md5 function to hash the password. If someone gets ahold of that hash they can run it through a process to compare it to a table of hashes that contain all possible combination of strings.. up to a certain amount of characters (called a rainbow table). Now if you have a password that is 5 characters long, there is 1,934,917,632 possible combinations (assuming a normal password type). Now not all of those have to searched to find the password, but it still takes quite a bit of time to do. If you have a 7 character password the number of combinations jumps to 10,030,613,004,288. This number grows exponentially with each additional character in your password.

          The benefit of having a salt is that if the salt is known (phpbb's website had their entire user table stolen, so the salt would have been included). if the hacker has to generate a rainbow table specific to that salt. This also takes longer to search then a generic rainbow table of hashes without salts.
          not according to the above................
          Have fun
          Regards..... David

          Step by Step Visual Tutorials for the complete beginner
          Newbies / Beginners Forum
          FREE Membership Login Scripts: - Meta Tags Analyzer
          My Social Networking Site - Free Contact Forms
          Finished your New website!! Now get it noticed Here:

          Comment

          Working...
          X