"In a post
on Blogger on Saturday, a person who claims to have breached the Web
site of open-source online community software phpBB gave a detailed
account of how he did it. Using a vulnerability in PHPlist publicly
disclosed on January 14, the attacker gained access to the password and
configuration files for the server, according to the post. The attack
occurred before the PHPlist developers issued a patch for the problem
on January 29.
"So I login and see what I can come across, wow 400,000 registered
emails, I’m sure that will go quick on the black market, sorry people
but expect a lot of spam," the self-proclaimed attacker wrote.
The incident matches the description of the attack posted by administrators of phpBB.com on Monday.
"The attacker gained entry through the PHPList application and was able
to dump a complete backup of the emails on file," the group stated. "He
then used the same exploit to access the phpBB.com database. Both the
email list from PHPlist and a copy of the phpBB.com users table were
then posted publicly.""
Read more: http://www.securityfocus.com/brief/902
Additional Information: http://www.cgisecurity.com/2009/02/phpbb-server-compromised-team-apologies.html
