» Topic:  Exploit Targets New phpBB Security Hole

» Added by:  Rich Miller

» Date:  22.12.2005

  An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration.

Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Some web hosts have banned the use of phpBB, citing ongoing security problems. Hackers often seek out vulnerabilities in forum software, which typically offers many fields that all must check input to detect malicious code.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 224,000 registered members of its user forum. A number of web hosts offer phpBB as an account add-on that can easily be installed by users.

Source : news.netcraft.com