phpBB was known for years as one of the most insecure software packages out there. It is responsible for one for one of the 1st application layer worm, Santy back in 2004. How ironic is that its own web site was seriously breached due to a vulnerability in another software package used...

The culprit was an LFI (Local File Inclusion) vulnerability in PHPlist, an application for managing newsletters which enables the hacker to grab phpBB users list. Another researcher claims that this is not an LFI but a super-globals-overwrite, which is still used to include files.

However, phpBB is not entirely off the hook, as the phpBB team admits. The stolen files included only hashed passwords, however phpBB 2 hash was unsalted and the hackers successfully brute forced 28,000 passwords. While phpBB 3, which is used on the phpBB site uses better password hashing, the upgrade procedure did not upgrade existing users waiting for their 1st login to upgrade. Anyone who did not log-in to the web site since the upgrade still had weakly hashed password in the database.

A very detailed report of the incident by the hacker shed light on how such hacks are carried out, including what the hacker went after and his exploitation techniques . The hacker found the exploit on milw0rm, a well known exploit repository, showing that public disclosure of vulnerabilities has its price, especially when it precedes the release if the patch.

A copy of the report in case the original disappears can be found here.