[nycphp-talk] php bulletin boards
jperkins at sneer.org
Mon Jan 3 21:04:49 EST 2005
On Jan 3, 2005, at 4:58 PM, Steve Manes wrote:
> Yury Rush wrote:
>> Hi -- there was an exploit a few weeks ago that affected phpBB
>> thousands were hacked via a worm that found phpBB sites using google's
> That exploit is actually a bug in PHP's unserialize(), not PHPBB.
> There are several exploits in 4.3.9 and 5.0.2:
The Sanity phpBB worm used the phpBB Highlight Vulnerability which has
nothing to do with the unserialize vulnerability. As (only) Derick
Rethans could put it:
"Everybody who thinks that the Santy.A worm uses one of the security
problems addressed in PHP's latest bugfix releases is wrong. It was NOT
due to any bug in PHP, but merely a badly checked input variable which
was passed to preg with the /e modifier. Besides this, phpBB is also
vulnarable for some of the things address by PHP's new releases. But
they are wrong saying that it is not their fault. Not-checked usage of
serialized data is still their problem. Short version: use FUDforum."
More info at:
This isn't to chastise Steve - phpBB rushed with the story that it
wasn't there fault.
Jason N Perkins
More information about the talk