[Security] phpBB 3.2.2 Packages Compromised

User avatar
Martin
Founder
Founder
Posts: 1100
Joined: Sun May 24, 2015 3:14 pm
Status: Offline

[Security] phpBB 3.2.2 Packages Compromised

Post by Martin » Mon Jan 29, 2018 1:38 pm

[Security] phpBB 3.2.2 Packages Compromised
Quote
Post by Marshalrusty » Sat Jan 27, 2018 2:57 am

Earlier today, we identified that the download URLs for two phpBB packages available on phpBB.com were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.

The point of entry was a third-party site. Neither phpBB.com nor the phpBB software were exploited in this attack.

If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload.

During the course of our investigation, we were able to take steps that should render the malicious code completely inoperable. However, in the unlikely event that multiple versions of the packages exist or that something was missed, we are choosing to leave nothing to chance.

As the packages were live for only three hours, we believe that a very small number of users are affected. We therefore ask that you perform the following steps so that we may render personalized assistance:
If you believe that you have a malicious package, please email it to security@phpbb.com so that we can check it against the version we obtained. We will likewise let you know if it is affected. You may also use the SHA256 checksum found on the downloads page to verify its validity. Do not use the potentially affected package.
If you have already used the package to install or update a phpBB forum, please file an incident report on our tracker and we will assist with removal of the malicious code.
The downloads currently available on the downloads page are safe. If you have any doubts whatsoever, download a fresh copy.

Our investigation is ongoing and we will provide additional information as it becomes available.

Double posted the time between posts was 22 seconds:
Hello everyone,

We are continuing our investigation, but are ready to provide some additional information to keep you informed.

The modified packages we obtained contain a section of malicious code that attempts to load JavaScript from a remote source. At this time, we are in control of the domain names that would be hosting that JavaScript, rendering the code harmless.

We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500.

Further information will follow as it becomes available.

Thank you,

The phpBB Team

Double posted the time between posts was 36 minutes 34 seconds:
This board has clean files as on 14/01/18 :rock:
Image

Save page loads and make pages shorter find it here. Show user sig once in a page
Use this to install an ext on your board no more ftp or path making.
Path too install this ext is ext/boardtools/upload https://www.phpbb.com/community/viewtop ... #p13700571

User avatar
NAPWR
Vip
Vip
Posts: 103
Joined: Fri Dec 29, 2017 12:47 am
Status: Offline

Re: [Security] phpBB 3.2.2 Packages Compromised

Post by NAPWR » Sat Feb 24, 2018 6:30 pm

Bravo Team :cool:

User avatar
lindseynicole010
Member
Member
Posts: 1
Joined: Thu Mar 15, 2018 4:52 am
Status: Offline

Re: [Security] phpBB 3.2.2 Packages Compromised

Post by lindseynicole010 » Thu Mar 15, 2018 4:53 am

Thanks

User avatar
kelly
Moderator
Moderator
Posts: 30
Joined: Fri May 04, 2018 6:13 pm
Status: Offline

Re: [Security] phpBB 3.2.2 Packages Compromised

Post by kelly » Fri May 04, 2018 6:23 pm

Thanks xxx
Kelly xxx