This post is mainly directed to Mike. I've received emails from our Hosting company and have noticed some news bulletins about the potential security issues with phpBB.
Check out: http://www.broadbandreports.com/shownews/58259
Notes from our provider...
Dear Valued Customer,
As a professional courtesy to all Dedicated Server customers, we have compiled this advisory regarding a recent reported vulnerability of which we feel you should be made aware. While NTT/Verio is not responsible for the security of the applications and software running on your server, we want to alert you to this reported vulnerability so that you can take the necessary steps to ensure the security of your Dedicated Server
Exploitation of phpBB highlight parameter vulnerability
Original release date: December 21, 2004
Last revised: December 22, 2004
Source: US-CERT
Systems Affected
phpBB versions 2.0.10 and prior
Overview
The software phpBB contains an input validation problem in how it processes a parameter contained in URLs. An intruder can deface a phpBB website, execute arbitrary commands, or gain administrative privileges on a compromised bulletin board.
I. Description
phpBB is an open-source bulletin board application. It improperly performs an urldecode() on the "highlight" parameter supplied to viewtopic.php. This may allow a remote attacker to execute arbitrary commands on a vulnerable server.
According to reports, this vulnerability is being actively exploited by the Santy.A worm. The worm appears to propogate by searching for the keyword "viewtopic.php" in order to find vulnerable sites.
The worm writes itself to a file named "m1ho2of" on the compromised system.
It then overwrites files ending with .htm, .php, .asp. shtm, .jsp, and .phtm replacing them with HTML content that defaces the web page. The worm then tries to use PERL to execute itself on the compromised system and propogate further.
US-CERT is tracking this issue as:
VU#497400 - phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter
II. Impact
A remote attacker may be able to deface a phpBB website and execute arbitrary commands on a compromised bulletin board.
III. Solution
Upgrade phpBB http://www.phpbb.com/downloads.php
...