 |
 |
Hi Missy, If you haven't already, you may want to go visit phpBB's web site at http://www.phpbb.com/ . There are two relevant issues that you may want to be aware of: 1) the phpBB software had known security vulnerabilities that were addressed in version 2.0.11, which was released back on November 18, and 2) there is a security vulnerability in the underlying php code prior to version 4.3.10, which phpBB is unable to do anything about. While I don't do anything with phpBB in my work life, I do maintain a web site for an organization outside of work which uses the phpBB software. I upgraded that site's phpBB software from 2.0.5 to 2.0.11 back in early December. This site is hosted on an ISP-provided system, so I have no control over the php software, which, according to the ISP's documentation, is version 4.3.1. I haven't seen any of the activity you're describing, but that doesn't mean I won't! Good luck, John Fishbeck MSU Physical Plant Computer Systems >>> Missy Koos <[log in to unmask]> 01/24/05 07:54AM >>> Hi, everyone! This is more of a web server thing, but I figure some people are maintaining web servers too, so... Is anyone else running phpBB? I've been noticing some odd activity that I think may be a spamming exploit in the profile.php, but I wanted to see if there is anyone else noticing people setting up bogus accounts on forums. The mail from their account creation bounces back and most of them are less than tasteful account names. In this I've found that if the profile.php within phpBB cannot find URL variables then it looks for form variables, which in turn makes it very vulnerable to XSS (Cross Site Scripting) attacks. I haven't found any particular exploits or known vulnerabilities that do exactly what I'm seeing which is why I think it may be a form of spam exploit. Or just naughty people trying to use my server to infect people using the avatar exploit that also exists in profile.php. Anyway, any one else seeing odd mail bounce backs from bogus accounts or profile.php showing up in the logs with no URL variables attached? Missy Koos Webmistress & Database Developer Student Affairs & Services Michigan State University 113 Student Services Building East Lansing, MI 48824 517.355.9510 x138