The website for one of the net's more popular bulletin board software packages has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. In a message posted Sunday, administrators of phpBB.com said the …
Vulnerability through honesty ?
Is it possible that this blackhat exploited the vulnerability purely BECAUSE of 'Full Disclosure' of bugs and having access to the entire source code ? Imagine the sequence of events:
1. A developer/reviewer flags a vulnerability on a public forum.
2. The support team say "Yep, good call. We're on it."
3. Blackhat reads forum and says "Yep, good call. Thanks for being a thousand pairs of eyes to my one pair.", and off he goes to work out ways to use this knowledge in creating an exploit.
4. The support team say "Yep, we've fixed it good. Download the latest version, and you'll be safe."
5. Not everyone using the software knows about either the vuln or the fix. They happily go about their business.
6. Mr Blackhat P\/\/n5 the crap out of them.
8. Profit !
cf. 'Security through obscurity'. Also, check out 'The Morris Worm'.
Shame the password list is no longer available
As I couldn't remeber my password on phpbb.com for the life of me....
Is the closed source model any better ...
1. Researcher discloses vulnerability privately
2. Company ignores them completely
3. Researcher announces vulnerability without details
4. Company denies problem.
5. Researcher posts a working exploit.
6. Virus writers add it to their bad of tricks.
7. Media reports virus outbreak.
8. Company starts working on a patch.
9. Not everyone patches ....
@ Daviid Wilkinson
Not really, but if it helps stop the linux mob shouting how much more secure it must be as it's open source has got to be a good thing.
Open or closed, Red Hat or Microsoft, security comes down to the administrator - not the platform.
Firewalls, patching, IDS etc. Regardless of your platform these are tools that should be used.
PHP is a tool of the devil.
Lowest common denominator of web applications, widely known for it's poor programmers and many security problems.
I know many system administrators that do not allow PHP on their servers for just this reason.
OTOH it is very easy to build interactive sites with quickly, and it is a very easy language to learn.
Which explains why it is so popular and bug ridden.
The last time I audited a popular piece of PHP software for bugs I found an exploit within an hour, despite being unfamiliar with the software. (authors were notified on a public forum because they had no private contact details available).
To be fair most of the PHP applications are much more secure these days but the less well known add ons still stuffer from the same old stupid programming mistakes.
Where's me penguin?
What are the open-source fan base going to say here? So many times I have read 'blah blah blah wouldn't happen on open source.... open source much better blah blah blah'
Are we going to see some balance from them? Don't think so. And here's the problem - when you are blinded by the wonderfulness of that which you worship, you cannot see the danger. This is true for all diehard fans, be they Linux, Open Source in general, Apple, Microsoft or whatever.
That's why I am a proud agnostic.
Looking at the milw0rm page,
You can see that one of the offending chunks of code is a mindbogglingly stupid hack to get around the fact that all sensible versions of PHP disable the 'register globals' configuration which it would appear that PHPList depends on.
'register globals' was a huge, gaping chasm of a security hole, and pretty symptomatic of the deplorable state of PHP security at the time... re-enabling it to save time updating code was never going to be a good idea.
Ease of coding in PHP, combined with a lassez faire attitude to security, combined with lazy hacks like this mean that cracking a PHPList installation wide open was only a matter of time. I wonder how well other such flaws in the code have been sorted out; the 'patch' issued for this one appears to be yet another hack to cover a hack rather than actually fixing the issue at hand.
Personally, I've always treated PHP applications with far more skepticism than their counterparts written in other languages, for reasons much like this.
Stage 2 and following need correcting to
2) Company sues researcher
3) Broke researcher approached by angel who will pay legal fees for peek at problem
Suck this freetards. (Not really)
Just reinforces my comment on another thread to a freetard/linux fanboi, there's no such thing as bug free software, patches are required no matter how much you think you don't need them.
Doesn't matter if it's free software, MS software or whatever, it all needs monitoring and regularly updating, even if the software is well written the black hats are always looking for and developing new exploits, it's all part of the game.
Paris, names and phone numbers.
... i thought only ms products had security issues and open source was perfect!
PHP and BB users are well known for their higher than average (in IT) level of stupidity but even after that, parts of this article by El'Reg look like deliberate trolling attempt
No sh!t Sherlock!
Having to register for 300+ websites and having to remember the passwords for all of them is just not feasible for the average mortal.
And yes I know we have passwird managers, but most people access the internet from many locations so they've still got to remember them.
Until someone comes up with a better method of authentication for the internet, this problem is going to stay.
The best advice I can give people is to use at least a few different passwords, a general one for sites you don't care about and more secure ones for banking etc.
PHP is a tool of the devil.
By Anonymous Coward Posted Thursday 5th February 2009 08:27 GMT
What a load of cobblers. I'm not even going to bother repainting the rest of your idiotic comment on people's monitors.
The ease of use of any programming language or tool has nothing to do with the level of ease by which it can be exploited to do bad things.
Such acts are up to the user of that particular language or tool, and their creativity in developing their exploit.
As such any programming language, tool or system can be attacked and exploited quite easily if they are not supported by timely patching and regular security checks.
Your level of thoughtlessness is disturbing, mister Anonymous.
And all you like minded commenters, You should be ashamed of yourselves.
How do patch a Breach/Tear/Trauma?
"The ease of use of any programming language or tool has nothing to do with the level of ease by which it can be exploited to do bad things." ... By Wortel Posted Thursday 5th February 2009 12:49 GMT
And everything to do with the level of ease by which it can XXXXPloit the Situation to do Any Thing you can Imagine is Real.
An Impregnable Tool in the Weapons Armoury/Future Strategic Logistical Stores.
It's less the fact that they basically shoehorned register globals back on (cock up #1) and more the fact that beyond that, they trusted *all* input from the $_request array as valid without verifying any of it (huge cock up #2) that bit them on the arse.
Oh, and carrying out processing on an admin page before authenticating the user too (cock up #3)...
Three proper schoolboy errors if ever I saw them.
Paris because she knows to check her input and never trust it. Maybe.
Sweet Azathoth's jockstrap, you mean someone now can leave bogus bug reports on phpbb and claim to be someone else? That the actual owner of said phpbb account could be subjected to ridicule by his peers when said bug report is deemed "under-informed" by the cognoscenti?
I can feel the very foundations of civilization crubling as I type.
- One HUNDRED FAMOUS LADIES exposed NUDE online
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Rubbish WPS config sees WiFi router keys popped in seconds