Musepack Forums

Musepack Forums (https://forum.musepack.net/index.php)
-   Misc (https://forum.musepack.net/forumdisplay.php?f=10)
-   -   phpBB and its ridiculous vulnerabilities (https://forum.musepack.net/showthread.php?t=284)

Shy 24 April 2006 12:26 pm

phpBB and its ridiculous vulnerabilities
 
During the last few months we've been forced to delete over 300 forum "users." Why "users?" Because those are forum accounts created automatically by online robots with scripts designed to bypass phpBB's ridiculous validation procedures.

Most of them are created and not even activated because there is no need to activate an account for it to appear on the members list with all the details such as a website address, "interests," "location," etc. Search engines' bots then crawl forums' pages, including every member's profile page, and thanks to their "intelligent" logic, search results for terms that appear in forums on which spam info is located include unrelated, spam results.
A very useful spamming method indeed, and the people responsible can thank mostly forum script authors who don't fix security issues and search engine authors who don't restrict their crawler bots for it.

But that's definitely not all. Aside from unactivated spam accounts, some are active, and some are very active, so active that they create automated posts in random topics, with sentences such as "i totally agree with you" and "you're absolutely right guys." For increased annoyance, they have signatures too such as "I rule the world." They don't rule the world, but they certainly rule phpBB's ass.
And let's not forget, some of those accounts have instant messenger info, and I feel sorry for whoever sends an instant message to those as they can expect an endless flood of instant messaging spam.

Make no mistake, I posted about it with proper details on phpBB's security bulletin 2 months ago, on February 23rd, 2 days after the issues started.
I'm not quoting my first post since for some reason phpBB's people want absolutely no mention of bugs, including security issues anywhere except their bug tracker, so I'll summarize my post without the "sensitive" info. I said that during the last 2 days we got 5 unactivated user registrations on our forum that were made for spamming purposes (website links leading to spam content). I decided to check whether this is an automatic registration script doing that, as our forum is not very crowded, and no one sane would bother to register to spread their spam through our forum. And indeed I've found that some of the exact same users are even on the phpbb.com forum. I pointed them to profile links on their own forum, which still haven't been deleted.

Only a month later, on March 24th, I got a response from Graham, a person from the development team. Now I feel compelled to post it here.
Quote:

If you have evidence that they are bypassing the visual confirmation, please supply it to us here. So far, I have not seen any evidence that this is the case (and I discount the links here because we often get people registering such things manually here to try and prove some sort of point)
The same day, I posted this reply:
Quote:

By now Netcraft has reported on what I believe is related to this issue: http://news.netcraft.com/archives/20...bb_forums.html
It can be easily seen that the user names in the links I provided are massively spread on forums all across the world, it's obviously by spam bots, image validation's fault or not.
To this day, another month later, no reply. A new version of phpBB was out, we updated, and it hasn't addressed this issue at all.

During the time this insane problem has been infecting endless phpBB forums across the world, while we've been forced to delete a bigger amount of auto registered spam users than valid users that are registered on our forum, and delete annoying, senseless automatic replies and even new topics made by those scripts, phpBB has been focusing on their bug tracker for their not ready for deployment phpBB 3, on selling a stuffed animal mascot named Bertie Bear, on celebrating a 4th birthday for phpBB 2 and its popularity, on working on a "Mod" handling script for their unsafe, unpractical mod handling system, and have mentioned absolutely nothing about the issues listed above that they are well aware of by now.

Even an alarming post by Netcraft hasn't changed anything, I don't know what will.
We are frustrated with phpBB. If you plan on using it, you should know what you're getting into.

gerardobaez 30 April 2006 10:47 pm

whoa that sucks! I hope they don't ruin this forum... If the guy has not responded in like a month, that usually means they are deep in their own BS...


All times are GMT. The time now is 12:23 pm.

Powered by vBulletin® Version 3.8.11 Beta 2
Copyright ©2000 - 2019, vBulletin Solutions Inc.