phpbb
phpBB.com download briefly served trojanized 3.2.4 installer
On 2018-09-14, phpBB confirmed that download links on phpbb.com for the freshly-released 3.2.4 release (`phpBB-3.2.4.zip`, `phpBB-3.2.4.tar.bz2`) had been redirected to a third-party server hosting a trojanized archive containing additional code that opened a backdoor. The compromise was on the project's own site rather than the source code or build pipeline; clean files on the project's mirrors and Composer-installed copies were unaffected. phpBB pulled the malicious links within hours of discovery and rotated download URLs.
- Date
- 2018-09-14
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Website compromise
What Was Affected
Package
phpbb
LanguagePHP
ComponentApplication
Artifact typesource archive
Domain typeproject download host
Domain
phpbb.com
Repository
github.com/phpbb/phpbb
Compromised Versions
- phpBB 3.2.4 (downloads served 2018-09-14)
Incident Context
- Attribution
- Unknown attacker
- Transitive
- No
- Observed Duration
- 0 days
External References
Source Data
Source record: oss/phpbb/meta.yaml