All Products
Document Center

[Vulnerability notice] Communication key leak vulnerability in PHPWind

Last Updated: May 19, 2022


PHPWind is a PHP and MySQL-based forum program, and one of the most commonly used forum programs.

The encryption algorithm of a PHPWind interface is poorly written and designed. As a result, the interface signature may be brute-forced. Attackers can exploit this vulnerability to gain the website’s secretkey to break into the website.

Affected versions

PHPWind 9.0 and later


  • Use Alibaba Cloud Security Web Application Firewall to intercept the attacking code for this vulnerability.

  • Use Alibaba Cloud Security Server Guard Professional Edition to fix this vulnerability. Server Guard can modify the vulnerable code to eliminate this vulnerability.

  • Follow the PHPWind’s official solutions to repair your website code.

    Note: To avoid data loss, make a backup before upgrading, or create a hard disk snapshot for ECS.