Tuesday, February 8, 2005

phpBB site compromised

Due to the recent issue identified with AWStats, the phpBB site has been defaced. They were using the update from web option, like all of the other systems that had AWStats with this option enabled. I can't see why people use this option anyway, since I use a cron entry to run mine automatically.

Unless you really need to give people access to your stats, then using a .htaccess file to block access to the public, even if you had the update from web option enabled nobody would have been able to exploit the vulnerability.

Luckily most of the people that had problems had backups of their data, but it has still cost them a lot of time. In light of the recent issues with phpBB and the worms that were developed to exploit bugs within it, combined with the fact the actual phpBB site was defaced via a security issue with AWStats that was three weeks old - it makes one ask the question, does the phpBB team need to get their act together with regards to security?

See the story on Netcraft.

Post ID: 658, posted by jase at 11:43 PM
Permalink | TrackBack ID: 631, (0) | Category: Security | Google Search
Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)


Remember me?


Valve Media Ltd
Search Engine Compliance