OBSOLETE -- See http://ist.uwaterloo.ca/security/vulnerable/20050316.shtml 16-Dec-2004/16-Mar-2005 Name: phpBB 2.0.11 upgrade required Vulnerablity: web server compromise Risk: Critical (active) phpBB is an open source bulletin board system built on Apache/PHP. Versions earlier than 2.0.11 on all platforms are easily be compromised and we have seen several compromises. Version 2.0.11 was released on 18-Nov-2004, a subsequent reminder to upgrade was issued 04-Dec-2004 and CERT Technical Cyber Security Alert TA04-356A was issued 21-Dec-2004.See http://www.us-cert.gov/cas/techalerts/TA04-356A.html http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=244451 http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 http://www.us-cert.gov/cas/bulletins/SB04-336.html#phpbb This is a serious issue -- it's trivial to compromise a vulnerable system. We've seen backdoors installed and attacks launched from compromised servers. Web server defacements are apparently common. Recommendation: 1) If you are running any phpBB service on a version earlier than 2.0.11 then you *must* upgrade -- your system can be compromised. If you are unable to upgrade you should disable the phpBB service. 2) You should know that many sites at UW will let arbitrary users install PHP services including phpBB's. Often times these are not well supported. You should review your policy -- it is not prudent to let arbitrary users install PHP services and complicated services like phpBB. 3) You should know that there are also underlying problems with Apache/PHP -- confirm that you are running versions 4.3.10 or 5.0.3 of PHP. If you have any questions/concerns or need help please let us know. I am, Reg Quinton Senior Technologist, Security Information Systems and Technology University of Waterloo, 200 University Ave W Waterloo, Ontario N2L 3G1 Canada +1 519 888-4567x36070 http://ist.uwaterloo.ca/security/vulnerable/20041216.note