It has come to our attention that all versions of phpBB prior to phpBB 2.0.11 can be exploited allowing an account to be compromised.

Additional information regarding this exploit may be viewed here:
http://www.securiteam.com/unixfocus/6J00O15BPS.html

Information on upgrading phpBB may be obtained here:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

Also note:
Though you are welcomed to seek help within these forums, phpBB is not a script written, developed, or maintained by FutureQuest. The best help you can receive for updating this script should be sought after by visiting the phpBB Support Department located at:
http://www.phpBB.com/support/

FutureQuest has scanned the servers for phpBB installations and we have sent individual notices to all site owners of package that were found to contain a phpBB installation with a version prior to phpBB 2.0.11 with details and required actions.

At least one FutureQuest package has already been compromised as a result of this exploit requiring all files to be removed from the account so that it could be reset to an "As New" state.

It is imperative that all site owners keep all scripts installed within their accounts as up to date as possible because the security implications of a compromised account are serious and potentially devastating. This responsibility should never be ignored.

If anyone has a question regarding actions that must be taken, or has a phpBB installation and _did_not_ receive an individual notice at the email address listed as the primary contact for your account please review the above links and/or contact Service@FutureQuest.net with your account details.

Deb
- Knowing is not enough; we must apply. Willing is not enough; we must do.

This really made my day. :( I've got two installs of my own and one for a client to upgrade, with each one being nearly a full day's task due to the mind boggling approach the phpBB folk consistently take with upgrade paths.

Dan

Originally posted by dank:
This really made my day. :( I've got two installs of my own and one for a client to upgrade, with each one being nearly a full day's task due to the mind boggling approach the phpBB folk consistently take with upgrade paths. You're not alone :waa:

What I do know is that the site owners who were exploited only wish they would've done the upgrade or switched forums first.... Their "suffering" was worse than the upgrade :(

I wish I had a magic bullet... but I don't :\

Deb
- This now :$

or
- This later :*

It doesn't help that I'm already in a crummy mood to start the day due to finally getting a small flurry of non-fraudulent orders, but then having the legitimate clients be unable to receive my emails (and phone calls) because they're apparently so overwhelmed by spam, my messages can't get through to them, and now they want refunds, to which I can't even reply one way or the other... What the $@%! is this e-world coming to?

Dan

Originally posted by dank:
It doesn't help that I'm already in a crummy mood to start the day due to finally getting a small flurry of non-fraudulent orders, but then having the legitimate clients be unable to receive my emails (and phone calls) because they're apparently so overwhelmed by spam, my messages can't get through to them, and now they want refunds, to which I can't even reply one way or the other... What the $@%! is this e-world coming to?

Dan We hear ya.... boy do we hear ya :eeww:

ooohhh, what a great excuse to finally get rid of a little used forum and free up that database. However, I'd like to import just the user data into our vbulletin install. This includes posts, user names and info.

Any suggestions? I've posted at vbulletin but thought someone here may know as well. In the meantime, I did an upgrade on the previous install.

Betsy

What the $@%! is this e-world coming to?
It's going to reach the point where e-mail isn't at all useful before it reaches a better point. And we're not there yet, but we're getting closer...

Dan, how about a bookmarkable page for users instead of an e-mail, which can say "add me to your favorites and please check again soon!" and has their ID number so you can show order status there in case their e-mail is busted? (Yes, I know, that's a bunch to code and it assumes some percentage of folks would actually DO both the add to favorites and the checking later... but what else can you do?)

I actually do have order status as part of the osCommerce cart, but I've stopped updating it of late... Might be worth getting back into the habit.

But this particular customer also posted to the [phpBB; just to keep it slightly on-topic :) ] support forum and apparently hasn't bothered checking back there for my response, so it's probably all a moot point. 4-5 emails, 2 phone calls, a forum follow-up, and I'll probably end up with nothing to show for it but a chargeback. :\

Dan

It's kind of late to be jumping in here with this, but I was able to update my copy of PHPbb very easily -- although I had to figure it out on my own (the instructions were non-existent).

If anyone still needs to know how to do this, give a holler and I'll describe the steps.

On a separate thread I have posted a request for comments comparing PHPbb with vBulletin (the software used for this forum), and have gotten an overwhelming response in favor of vBulletin.

GLB

I guess I spoke too soon. Even though I (apparently) successfully updated my installation of PHPbb within hours of receiving the security notice, e-mailed FQ to confirm that I had made the update, and got an acknowledgment ("Thanks for taking care of this so promptly") from FQ, they shut me down anyway.

I can't tell yet whether the update didn't take care of everything, or whether FQ just decided to shut everybody down and ask questions later. Working on getting back on the air right now. . . .

Did you leave an old copy of the install around? That's what I got bit by.

Dan

No, I removed the entire install folder just like the people said to do. As far as I know, I did everything I was supposed to. I even got a nice note from Joseph thanking me for taking care of it so quickly. Guess someone forgot to check with him before they started pulling the plugs.

I assume it will be reactivated eventually. I am not even using the PHPbb installation at the moment, but I can understand the security concerns.

Even though I (apparently) successfully updated my installation of PHPbb within hours of receiving the security notice, e-mailed FQ to confirm that I had made the update, and got an acknowledgment ("Thanks for taking care of this so promptly") from FQ, they shut me down anyway.
Reference Ticket: 041203-0051

I just went digging through the Service Desk, and it appears that your ticket was in the first response wave we received...

Initially, the FutureQuest Service Team was visiting each of the web sites and looking at the 'displayed' Forum's version number... I just asked Joseph, and your phpBB version was displaying as '2.0.11' so he went ahead and responded to you with the green light...

Later on in the day, after finding some (ummmm) discrepencies, I started going through and validating all of those scripts by hand and ignored the version numbers stored in the phpBB MySQL table...

It appears that something went terribly wrong with your upgrade, because the phpBB 'version' number stored in the MySQL table is '2.0.11', however the 'viewtopic.php' file on your site is still very much exploitable (as I type this)...

Please go back and double check your work as the update is still not in place...

--
Terra
--the response was a bit overwhelming on that day - though mostly all good--
FutureQuest

How did you update? Did you use the patch procedure? At first I admit I was silly and ran the upgrade script & the upgrade_to_2011 script in the install folder and thought that was it... then a few minutes later when I looked at the scripts I figured out that those only update the mysql database and you have to run the correct patch files too ( patch -cl -d [PHPBB DIRECTORY] -p1 < [PATCH NAME]), and any that error out with "HUNK FAILED " (three of mine did) you either have to diagnose and try again or overwrite with the files from the changed archive. I can't say it was any more difficult than a vBulletin upgrade, since with vBulletin you simply have to overwrite everything and remodify, which is what the changed archive provides anyway.

Geoff, I was keeping an eye on that file and it is now patched up properly... I have released the phpBB block from your account and your forums should now be active again...

Glad to see that you got the update all sorted out... :)

--
Terra
--one less exploitable phpBB script on the net is a very good thing--
FutureQuest

I hand-nurtured this "upgrade" by manually deleting each previous file and replacing it with the newer one. For some reason, it seemed as though simply over-writing the old file wasn't working -- even after I had apparently done that, the files were still displaying as the September, 2003 versions.

I think everything is in place now, but what a nuisance.

Another reason to vote for vBulletin, to tie in a completely different discussion.

The mySQL Manager pane in the CNC is still showing blocks on all the databases.

Can you explain a bit more?

I just went into your CNC and the MySQL Account Manager is working properly...

The phpBB block would in no way have affected your MySQL abilities...

--
Terra
--confused--
FutureQuest

Maybe I'm misinterpreting the pane. Under "available databases" there is a red 0. Perhaps "available" means something different from what I would understand it to mean. I am only using one of the six databases shown, but maybe the very fact that they are shown means that they have been provisioned, and therefore no more are "available" beyond those six.

Meanwhile, I guess I'm still puzzled by Unix. The revised phpBB files still show dates of 9/27/03, but when I open them I can see much later dates mentioned in the comments. This is true even with files that I manually deleted and then replaced with new uploads. It's as though the old files are "gone but not forgotten." Not really important, I suppose, but maybe I could have saved myself some work.

Anyway, the forum seems to be functioning.

shown means that they have been provisioned, and therefore no more are "available" beyond those six.
That is a good way of expressing it... ;)

You have 6 databases already, that were setup by default well before the MySQL Account Manager was released... These are now considered Legacy MySQL activations... Now when a site owner goes to activate their MySQL Account, only 1 database is initially created...

If you delete one of them, you would then have '1' database available for creation... Go ahead and give it a try... :)

If you need more databases, we will be offering extra Databases that you can purchase... Of course Santa is coming soon, and may toss a few extra databases your way... :QTquiet:

--
Terra
--is now going to go pass out--
FutureQuest

If you need more databases, we will be offering extra Databases that you can purchase... Of course Santa is coming soon, and may toss a few extra databases your way...

Clearing throat...ummm, gosh, I knew there was a reason I was staying up late.

Betsy

shown means that they have been provisioned, and therefore no more are "available" beyond those six. That is a good way of expressing it... ;)

You have 6 databases already, that were setup by default well before the MySQL Account Manager was released... These are now considered Legacy MySQL activations... Now when a site owner goes to activate their MySQL Account, only 1 database is initially created...It would have been helpful to me -- and therefore I suspect it would be helpful to other customers who are similarly situated -- to include a clearer explanation of what this "available" statistic actually means.

The problem is that the word "available" is relatively ambiguous in this setting. On the one hand, it could mean "available for use" (the meaning I ascribed to it), such that the figure 0 would mean "none of your databases can be used right now; they are not available." On the other hand, it could mean "remaining undefined databases" (the meaning it apparently has in FutureQuest's world), such that the figure 0 simply means "number of additional database line items you can add to those already shown below." Perhaps I would have been less alarmed by the statistic if it had not appeared in red and bold, as if something was wrong. Nothing was wrong, in fact; everything was perfectly normal for someone with a plan that includes 6 defined databases as part of the base charge.

I would encourage you to consider using a word (or phrase) different from "available" in this control panel, and to add a sentence or two explaining the meaning of that figure. (By this I mean an actual example -- for instance, stating that those who had previously had a certain number of databases provisioned would show zero "available" but all the provisioned databases would be listed.) I would also urge you to consider presenting the figure "0" in plain text, rather than bold red, so that no one would be psychologically conditioned to assume that there was a problem when they see the red figure.

If you need more databases, we will be offering extra Databases that you can purchase... Of course Santa is coming soon, and may toss a few extra databases your way...
Oh, boy -- I can add a Movable Type blog function and really have fun with security/server load issues. :dopey:

I would encourage you to consider using a word (or phrase) different from "available" in this control panel, and to add a sentence or two explaining the meaning of that figure. (By this I mean an actual example -- for instance, stating that those who had previously had a certain number of databases provisioned would show zero "available" but all the provisioned databases would be listed.) I would also urge you to consider presenting the figure "0" in plain text, rather than bold red, so that no one would be psychologically conditioned to assume that there was a problem when they see the red figure.

Available Databases:

Has Been Changed To:

Uncreated Databases:

The helpful hint now reads:

Uncreated Databases: The number of databases available that have not yet been created.

To be complete we have also changed:

Active Databases:

To:

Named Databases:

The helpful hint now reads:

Named Databases: The number of databases that have been created (not necessarily in use).

0 has been changed to 0

Let us know if that helps the next time you're reviewing the MySQL Account Manager and thank you for taking the time to share the problem in that area with usability :smile:

Deb
- :QTpaint:

Deb,

Those changes ought to improve comprehensibility for people like me.

By the way, how many of those pictured animals do you actually have? (We have six dogs and four parrots, including an African grey, which is why I ask.)

G

By the way, how many of those pictured animals do you actually have?
*cough*www.picolio.com*cough* :QTcrazy:

--
Terra
--Oy, it's a regular zoo it is--
FutureQuest

--Oy, it's a regular zoo it is--
No kidding. :smile:

Those changes ought to improve comprehensibility for people like me. Great :) By the way, how many of those pictured animals do you actually have? As Terra eluded to, all of the ones pictured are here.... and to be specific the list goes something like this .... Two dogs, one cat, two fancy mice, two gerbils, one husband, three bearded dragons, five fire bellied toads, over a thousand gallons worth of fish tanks, three teenagers, ten thousand gallons worth of ponds, eight hundred gallons worth of turtle tubs, about 30 turtles, and the two parrots. Plus a puppy that's coming home on Christmas eve.

Deb
- Petting zoo you mean :P

Two dogs, one cat, two fancy mice, two gerbils, one husband, three bearded dragons, five fire bellied toads

...and a partridge in an avacodo, er pear tree :smile:

Mark

...and a partridge in an avacodo, er pear tree

You had it right the first time, Mark.


http://www.aota.net/forums/showthread.php?postid=116880#post116880

Betsy
--the less grounded one

Now ain't it interesting what becomes of putting a whole lotta things together in one song, package deal, or household for a seasonal getogether....:QTparty:

Mark

Now ain't it interesting what becomes of putting a whole lotta things together in one song, package deal, or household for a seasonal getogether....:QTparty:

Mark

Improvisors know about this.

It's called "group mind". :crazy:

speaking of improvisors, my favorite improv forum (phpBB-based) was compromised. They're using v 2.0.6. I warned them about the risk on 12/3. ::sigh::

Group mind (thanks for the def.) focus of attention can be an uplift to spirits, a powerful tool, a great diversion, or a twisted, perverted form of human interactive socialability.

Mark

Those who wondered what the big deal was should read this (from the Educause newsletter):
SANTY WORM USES GOOGLE SEARCH
A new Internet worm called Santy (for Net-Worm.Perl.Santy.A) uses the Google search feature to find sites running unpatched versions of the phpBB Web forum software. The worm overwrites files to deface the forums. By targeting phpBB, the worm has caused major problems for businesses that use the software to handle customer-service and other support functions. Security research-based Kaspersky Lab called the worm "extra tricky" because the files on the server it replaces with its own code then infect other sites using the same host. The lab's advisory carries a Red Alert rating. Support forum administrators for phpBB advised users to upgrade to the newest release of the software immediately.
eWeek, 21 December 2004
http://www.eweek.com/article2/0,1759,1744722,00.asp

As soon as I read voiceguy's post, I was expecting this: Google squashes Santy worm (http://news.com.com/2100-7349_3-5500265.html?type=pt&part=inv&tag=feed&subj=news). Wouldn't it be nice if all viruses could be cut off at the knees like that?

Wonder how long before Santy.B appears, without the convenient choke point? :(

Randall

Wouldn't it be nice if all viruses could be cut off...
WinXP SP2 has automatic updates enabled by default, if that is the issue (and if I recall correctly, lol). :hrmm:

How to avoid being damaged by the phpBB worm (http://www.vbulletin.com/forum/showthread.php?p=782206#post782206)
Announcement posted by Kier...
"While vBulletin itself is not vulnerable to attack, if your vBulletin is installed on a shared server that also hosts vulnerable phpBB boards, you could find that your board suffers collateral damage from the phpBB attacks.

If the phpBB vulnerability is attacked, it will attempt to replace every .htm, .php and .asp file with a defaced version.

If your vBulletin could possibly be installed on a server also hosting vulnerable phpBB boards, we would recommend that you take a few moments to ensure that your script files are not globally writable....

If your vBulletin could possibly be installed on a server also hosting vulnerable phpBB boards, we would recommend that you take a few moments to ensure that your script files are not globally writable....Fortunately for FutureQuest site owners, the php files within your account are not world-writeable. Thanks to Secure_Mode(TM) (http://www.futurequest.net/Safe_Mode_Off.php). The files within your account would only be writable by your own userID/usergroup.

I am counting my blessings and will add Future Quest Secure_Mode(TM) to the list.

gracias Futuro Questus

Mark

Will Secure_Mode protect against this, though? The actual nasty bit of the worm is a Perl script, not a PHP script... and to the best of my knowledge, the script won't be running under the protection of suexec.

Will Secure_Mode protect against this, though? The actual nasty bit of the worm is a Perl script, not a PHP script... and to the best of my knowledge, the script won't be running under the protection of suexec.Oh, I forgot about the Perl script part. Hmm.

Nevertheless, FutureQuest sites are well protected.

If the code is running as a result of being invoked by PHP, then it is still running under the site's ID (not the web server's ID), because of Secure_Mode.

OTOH, if the code is running as cgi script, then it is running under suexec, and again, under the site's ID.

No executable code on your site will run under the web server's ID. It will either run as CGI (suexec) or PHP Apache module (Secure_Mode). Both of these run the code in question under the site's ID and not the web server's.

After a few hours of searching with no answer, this is the best place I could find to ask this question. I always hate to impose, sorry if I am.
:blush:
My error log file shows;
"[error] (13)Permission denied: could not open FQcgi log file /var/apache/logs/suexec/cgi.log
I will get 10 to 50 of them over a period of 5 to 20 minutes every hour.

What is going on?

Steve