Musepack Forums  

Go Back   Musepack Forums > Off-Topic > Misc

Thread Tools Search this Thread Display Modes
Old 24 April 2006, 12:26 pm   #1
Shy's Avatar
Join Date: Jul 2004
Posts: 372
Default phpBB and its ridiculous vulnerabilities

During the last few months we've been forced to delete over 300 forum "users." Why "users?" Because those are forum accounts created automatically by online robots with scripts designed to bypass phpBB's ridiculous validation procedures.

Most of them are created and not even activated because there is no need to activate an account for it to appear on the members list with all the details such as a website address, "interests," "location," etc. Search engines' bots then crawl forums' pages, including every member's profile page, and thanks to their "intelligent" logic, search results for terms that appear in forums on which spam info is located include unrelated, spam results.
A very useful spamming method indeed, and the people responsible can thank mostly forum script authors who don't fix security issues and search engine authors who don't restrict their crawler bots for it.

But that's definitely not all. Aside from unactivated spam accounts, some are active, and some are very active, so active that they create automated posts in random topics, with sentences such as "i totally agree with you" and "you're absolutely right guys." For increased annoyance, they have signatures too such as "I rule the world." They don't rule the world, but they certainly rule phpBB's ass.
And let's not forget, some of those accounts have instant messenger info, and I feel sorry for whoever sends an instant message to those as they can expect an endless flood of instant messaging spam.

Make no mistake, I posted about it with proper details on phpBB's security bulletin 2 months ago, on February 23rd, 2 days after the issues started.
I'm not quoting my first post since for some reason phpBB's people want absolutely no mention of bugs, including security issues anywhere except their bug tracker, so I'll summarize my post without the "sensitive" info. I said that during the last 2 days we got 5 unactivated user registrations on our forum that were made for spamming purposes (website links leading to spam content). I decided to check whether this is an automatic registration script doing that, as our forum is not very crowded, and no one sane would bother to register to spread their spam through our forum. And indeed I've found that some of the exact same users are even on the forum. I pointed them to profile links on their own forum, which still haven't been deleted.

Only a month later, on March 24th, I got a response from Graham, a person from the development team. Now I feel compelled to post it here.
If you have evidence that they are bypassing the visual confirmation, please supply it to us here. So far, I have not seen any evidence that this is the case (and I discount the links here because we often get people registering such things manually here to try and prove some sort of point)
The same day, I posted this reply:
By now Netcraft has reported on what I believe is related to this issue:
It can be easily seen that the user names in the links I provided are massively spread on forums all across the world, it's obviously by spam bots, image validation's fault or not.
To this day, another month later, no reply. A new version of phpBB was out, we updated, and it hasn't addressed this issue at all.

During the time this insane problem has been infecting endless phpBB forums across the world, while we've been forced to delete a bigger amount of auto registered spam users than valid users that are registered on our forum, and delete annoying, senseless automatic replies and even new topics made by those scripts, phpBB has been focusing on their bug tracker for their not ready for deployment phpBB 3, on selling a stuffed animal mascot named Bertie Bear, on celebrating a 4th birthday for phpBB 2 and its popularity, on working on a "Mod" handling script for their unsafe, unpractical mod handling system, and have mentioned absolutely nothing about the issues listed above that they are well aware of by now.

Even an alarming post by Netcraft hasn't changed anything, I don't know what will.
We are frustrated with phpBB. If you plan on using it, you should know what you're getting into.
Shy is offline   Reply With Quote
Old 30 April 2006, 10:47 pm   #2
Join Date: Aug 2005
Posts: 2

whoa that sucks! I hope they don't ruin this forum... If the guy has not responded in like a month, that usually means they are deep in their own BS...
gerardobaez is offline   Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT. The time now is 11:25 pm.

Powered by vBulletin® Version 3.8.11 Beta 2
Copyright ©2000 - 2021, vBulletin Solutions Inc.