Open Source 2018-01-26 · 0 days ·Backdoor

phpBB links served malicious packages

phpBB download links for 3.2.2 were replaced for 181 minutes on January 26, 2018. The off-site packages carried extra code that tried to load remote JavaScript.

Story

The phpBB incident was a link replacement attack, not a phpBB codebase exploit. On January 26, 2018, two official download links pointed away from phpBB's normal files to malicious packages on a third-party server.

The affected artifacts were the phpBB 3.2.2 full package and the automatic updater from 3.2.1 to 3.2.2. The altered packages added code that attempted to load JavaScript from a remote source. phpBB later controlled the referenced domains, which neutralized that path.

The window was short: 12:02 to 15:03 UTC, or 181 minutes. phpBB removed the links, told users to verify SHA256 hashes against the official download page, and asked anyone who installed or updated from the malicious packages to file an incident report.

phpBB estimated fewer than 500 downloads during the exposure window, with fewer likely used in production. The record is scoped to the official download-link compromise and the two package artifacts served through it.

Affected Artifacts

phpBB 3.2.2 full package

· phpbb.com · repository · Source Archive

Observed: 2018-01-26
Compromised Versions: 3.2.2
Fixed: Not listed
Evidence: distribution: phpbb.com/downloads, mirror: github.com/phpbb/phpbb, file: phpBB 3.2.2 full package, technique: remote_javascript_loader

phpBB estimated fewer than 500 downloads during the exposure window; the number of production installations was expected to be far lower.

phpBB 3.2.1 to 3.2.2 automatic updater

· phpbb.com · repository · Source Archive

Observed: 2018-01-26
Compromised Versions: 3.2.1 - 3.2.2
Fixed: Not listed
Evidence: distribution: phpbb.com/downloads, mirror: github.com/phpbb/phpbb, file: phpBB 3.2.1 -> 3.2.2 automatic updater, technique: remote_javascript_loader

phpBB estimated fewer than 500 downloads across both malicious packages; the number is exposure context, not a confirmed victim count.

Incident Context

Cause: Website Compromise
Transitive: No

External References

phpBB Security Incidentphpbb.com
Hacker Compromised Official phpBB Download Linksbleepingcomputer.com
phpBB Website Served Malicious Packagessecurityweek.com

Source record: oss/attacks/phpbb/meta.yaml