phpBB Weekly

You may have noticed that since late Saturday night/early Sunday morning (depending on your timezone), phpBB.com has been down. According to this post from Yuriy Rusko (Marshalrusty), a hacker utilized a vulnerability in PHPList to gain unauthorized access to phpBB.com and take down the phpBB.com website. PHPList is used by the phpBB teams for their opt-in mailing list which they use to send out e-mail notifications of new phpBB releases. The PHPList vulnerability was patched in a version 2.10.9 security release which was put out on Thursday morning. The teams had not updated their installation of PHPList during the three days after the 2.10.9 release, and as a result, an attacker was able to use that info to access the phpBB.com Database, including the database for the community forums.

David really wanted us to be able to do a special mid-week episode of phpBB Weekly to cover the outage, but unfortunately life is busy for us and so we will not be able to do so. However, we will be having a very comprehensive discussion of the outage on Saturday’s episode of phpBB Weekly, including a discussion with one or more team members on the issues behind this outage.

Until then, please read the post for more details, including some important warnings if you have not logged in on phpBB.com since March 2007 (before phpBB.com was upgraded to phpBB3) concerning your password security. Support is temporarily available on the Area51 forums. And the next time we tell you to be prompt in keeping your software up-to-date, remember this as a very good reason why you should do so.