During the last days a lot of blog entries, forum posts and even articles in IT magazines were made about a potential phpBB mass hack in preparation. From what is reported it seems to me that FuntKlakow is only a spambot and that the whole situation is a little bit overhyped. In the end it seems enough to enable the visual confirmation in the registration form (captcha) to keep FuntKlakow out, although the captcha is so bad that it should not be hard to break it.

So why am I writing about this. Yes I do believe that FuntKlakow is only a spambot but "all warfare is based upon deception" and therefore this might only be a trick. What I do know on the other hand is, that I recently found another way to bypass phpBB's register_globals deregistration layer. This time my trick works on all PHP versions and is therefore a lot more dangerous than the tricks that I reported together with the signature_bbcode_uid remote code execution exploit. Of course it still means the phpBB host needs register_globals turned on, but I guess a worm will find enough of such hosts.

It is also noteworthy that the fact that signature_bbcode_uid is still exploitable is simply caused by the fact, that the phpBB did not use the patch supplied by me to fix the issue. Instead they used their own patch. This is why I blame them for still beeing vulnerable to modified signature_bbcode_uid exploits, although the trick I use is not their fault.

And of course it is also their fault, that they still do not mention the remote code execution vulnerability in their security tracker at all...