PHPBB Forum Hacked

Anything related to the www.jpatch.com webpage or this forum.

PHPBB Forum Hacked

Postby dcuny » Sat Feb 07, 2009 8:25 pm

Apparently, they got hit with a day 0 exploit, and all the passwords on their site got posted. Good grief... Don't these people just hash the passwords and store that instead? :evil:

Of course, no one would use the same password on that site on other sites, would they? :(
dcuny
 
Posts: 2902
Joined: Fri May 21, 2004 6:07 am

Re: PHPBB Forum Hacked

Postby sascha » Sun Feb 08, 2009 8:46 pm

Good grief... Don't these people just hash the passwords and store that instead?

Of course phpBB stores just a hash of the password (and AFAIK always did). The problem is that this doesn't really help against dictionary attacks - you can hash the entire dictionary in a blink of an eye and run that against the password-database, yielding the cleartext passwords for every hit.
Unfortunately people who are naive enough to use passwords that are vulnerable to dictionary attacks would probably also use the same password for their email accounts, system accounts, online-banking accounts and god knows what else :?

Anyway, direct access to the phpBB database doesn't sound all too comforting, do you know which versions are affected?
sascha
Site Admin
 
Posts: 2792
Joined: Thu May 20, 2004 9:16 am
Location: Austria

Re: PHPBB Forum Hacked

Postby dcuny » Sun Feb 08, 2009 10:31 pm

The last time I checked, their site was still in maintenance mode. :|
dcuny
 
Posts: 2902
Joined: Fri May 21, 2004 6:07 am

Re: PHPBB Forum Hacked

Postby sascha » Mon Feb 09, 2009 12:27 am

phpBB.com wrote:We are sorry to report that we have been attacked through a 0-day-exploit in our PHPList installation (responsible for the mailing list about new releases). phpBB.com will remain unavailable while we work to recover. No vulnerabilities have been found in the phpBB software itself.

All-clear then...
sascha
Site Admin
 
Posts: 2792
Joined: Thu May 20, 2004 9:16 am
Location: Austria

Re: PHPBB Forum Hacked

Postby sascha » Thu Apr 09, 2009 3:19 pm

sascha wrote:Of course phpBB stores just a hash of the password (and AFAIK always did). The problem is that this doesn't really help against dictionary attacks

:oops: That's not entirely correct. See http://en.wikipedia.org/wiki/Rainbow_ta ... bow_tables
So using a salt will make the dictionary attack much slower.
sascha
Site Admin
 
Posts: 2792
Joined: Thu May 20, 2004 9:16 am
Location: Austria


Return to Webpage

Who is online

Users browsing this forum: No registered users and 1 guest

cron