A few days ago phpbb.com was hacked through a super-globals-overwrite vulnerability in PHPList that was used by an attacker for a local file inclusion exploit. Details about the whole attack, written down by someone who claims to be the attacker, can be read here.

Stefan talks about the superglobal problem PHPList had - allowing the superglobal information to overwrite the variables inside the script without so much as a check. Example code shows how it was possible for the attacker to provide their own configuration file value to be opened via a stream wrapper.

A Wellington, New Zealand, Web hosting company may seek compensation from a client that it claims is responsible for the worst hacking attack in the company's history. IServe blames lax security on their client's part for the hacking job that resulted in the defacing of hundreds of Websites.

The hack forced iServe to shut down all its FTP servers for 28 hours, while it replaced many of its customers' websites with back-ups that were made a few days before the incident.

Joy Cottle, iServe's general manager estimates the problem cost about $20,000 to repair. Clients with dedicated servers were not affected by the hack.

They report that the attack happened because of a flaw in the content management system that allowed the user to overwrite websites of other customers on the machine. They are even considering trying to recoup some of the costs from the customer that allowed it to happen. The hole was one found in the older version of PHPNuke the customer had uploaded.

Due to the incident, iServe is now considering banning cleints from running PHPNuke