Infected MyBB release package offered for download
The development team of MyBB (MyBulletinBoard), a popular PHP and MySQL-based free forum package, warned its users about the fact that its latest version available for download on the project’s site has been modified to include code that shouldn’t be there.
The compromise was discovered some two weeks ago, and the release package was immediately replaced, the users warned about the code having the ability to open a security vulnerability on their forum and advised on steps to take to fix the problem.
Since then, an investigation into how the compromise was perpetrated revealed that code was malicious and the release was modified on the server by a 3rd party. Unfortunately, it is still unknown when the switch was made, so it would be a good idea for all users who downloaded the package prior to the initial warning to follow the aforementioned instructions.
“There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system,” explains MyBB’s product manager. “Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages.”
“The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.”
Nevertheless, the project is definitely going to publish checksums with future downloads, so that modified files can be spotted earlier. Also, the team is considering implementing an automated verification process and a content distribution network for package distribution.