Santy Worm Spreads Through phpBB Forums

Thousands of servers hosting phpBB forums have been defaced today by a worm that exploits a security hole in the popular bulletin board program.

Santy worm defacement The Santy worm is written in Perl, and exploits a flaw in a file called viewtopic.php that allows an SQL injection exploit, in which SQL database commands typed into a web form can be executed. The worm defaces the web site with the phrase "This site is defaced!!! NeverEver NoSanity" and then seeks out other phpBB sites to attack, apparently using Google to locate the target viewtopic.php files. A Google search for the file currently returns more than 4 million results, while an MSN search lists more than 37,000 appearances of the defacement. Internet security firms are issuing public requests for Google to block these searches to limit the spread of the worm.

The viewtopic.php security hole in phpBB is fixed in version 2.0.11, which has been available for more than a month. The security hole is different from a phpBB exploit published earlier this week that targets a flaw in the PHP scripting language.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 156,000 registered members of its user forum.