As all of you might know , phpbb is one of the most used open source forum engine. Phpbb might have millions of users , and Phpbb should protect their users from being hacked. And the fact is that the official site of phpbb , which is phpbb.com was hacked within few days ago ! and phpbb.com is still under maintenance up to now. The hacking of phpbb.com started when the attacker spotted a ‘gateway’ to attempt the break-in through phpList exploit (http://www.milw0rm.com/exploits/7778) . Well it’s not a how to hack phpbb forum , but it’s still good to be read.
Here’s the exceprt of the phpbb.com hacking story :
And eventually found my way to their error log /home/logs/phpbb.com/error_log. After a little looking I figured out that their forums were running off /home/virtual/phpbb.com/community/ well it has been known for some time that you can include code in the error log. So I wanted to run some code, well in PHPBB3 the avatars are located in a folder called /home/virtual/phpbb.com/community/images/avatars/upload and your avatar is called (secret hash)_userid.jpg. But I didn’t know what the secret has was to include my picture (that had my own code in it) so by using the error log I injected code
And figured out that their hash is f51ee61fe7a83fdf72780912bced0855. So now every time I want to upload run code against the server I can include this: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upload/f51ee61fe7a83fdf72780912bced0855_ID.jpg
Read the rest of the story here : http://hackedphpbb.blogspot.com/