« PHPBB Server Compromised, Team Apologies | Main | Web Application Security Consortium (WASC) RSA Meetup 2009 »

Attacker flaunts details of phpBB hack

"In a post on Blogger on Saturday, a person who claims to have breached the Web site of open-source online community software phpBB gave a detailed account of how he did it. Using a vulnerability in PHPlist publicly disclosed on January 14, the attacker gained access to the password and configuration files for the server, according to the post. The attack occurred before the PHPlist developers issued a patch for the problem on January 29.

"So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam," the self-proclaimed attacker wrote.

The incident matches the description of the attack posted by administrators of phpBB.com on Monday.

"The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file," the group stated. "He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.""

Read more: http://www.securityfocus.com/brief/902
Additional Information: http://www.cgisecurity.com/2009/02/phpbb-server-compromised-team-apologies.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!