1
Jyotirmaya
XF-Section Security Vulnerability
  • 2006/3/17 14:53

  • Jyotirmaya

  • Not too shy to talk

  • Posts: 105

  • Since: 2005/2/10


I am using XF-section 1.07 (xoops 2.2) and it appears there is a security vulnerability in modify.php. The email below is from my host, purplecloud.

Can anyone advise how I can plug this hole.

My site is http://www.anandamarga.org.uk, xf-section runs the vegetarian cookbook. Anonymous users are not allowed to modify the entries, and new users have to be accepted by the admins before being activated.

First off - I am going to upgrade to xfs 1.10


Quote:
Hi,

The following script on your hosting account has been exploited by hackers and used to execute a trojan script on our
server:

/usr/local/psa/home/vhosts/anandamarga.org.uk/httpdocs/modules/xfsection/modify.php

Since this appears to be a downloaded script, please can you check that you have the latest version and any security updates installed on your account, or take other steps to ensure that the script is secure.

If similar problems occur again then we may be forced to disable the script concerned.

Regards,
James
Purple Cloud

--
Purple Cloud :: budget hosting solutions
Website: http://www.purplecloud.net
E-Mail: enquiries@purplecloud.net
"You are never alone or helpless, the force that guides the stars guides you too"

2
seventhseal
Re: XF-Section Security Vulnerability

Tell them to send you the proof - otherwise, you have no way of knowing what hole they are referring to. The problem here is this, they know that it happened, and maybe it acutally happened. Within the hosting environment, that means they either have some foms of trip wire running, mod_security, or snort. So, they should have the specific POST payload driven to execute.

More than likely - and I am taking a big guess - they uploaded something to the /tmp directory of the server. /tmp could be anything, so it's an example here. They then tried to execute the script. Since they (hosting company) saw it come through that specific file, they saw the specific command.

Here's what bothers me, and I am a PLESK reseller, it sounds to me that they DON'T have all of the security measures in place, and that the script was executed - probably a mailer of some sort. If youare on a Virtuosso (VPS) environment, it may also be a problem where the "script-kiddies" know the script is already on the physical server, and they are just trying to exploit it through a known PHP script that may give access to the /tmp directory.

This is probably more than you need to know, but it always bugs me that "hosting" companies tell you there was a problem, but give no proof or details...good luck!
John Horne - a.k.a. - VelocityWebDev, Seventhseal, CreepingDeath
**********************************
VelocityWebDev Tech BLOG
VelocityWebHost Hosting and Design

3
Jyotirmaya
Re: XF-Section Security Vulnerability
  • 2006/3/17 18:56

  • Jyotirmaya

  • Not too shy to talk

  • Posts: 105

  • Since: 2005/2/10


thanks seventhseal - will ask them.
put on GIJoe's security pack just in case
"You are never alone or helpless, the force that guides the stars guides you too"

4
allnewtome
Re: XF-Section Security Vulnerability
  • 2006/8/20 12:02

  • allnewtome

  • Not too shy to talk

  • Posts: 175

  • Since: 2005/11/30


I've had the same problem, with xfsection 1.10. I thought I had posted here already, but perhaps my post was deleted because it was too explicit with what the problem was

To cut a long story short, I have removed modify.php for now, and will look for an alternative articles/sections module.

But everything seems to work fine still and I can still edit articles. So...

What is modify.php for (except hackers!!) and what can't I do without it?



Thanks

5
zyspec
Re: XF-Section Security Vulnerability
  • 2006/8/20 13:12

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


The author has released several security fixes since 1.07. The current (and final) version of XFSection is 1.12a. You can find it H E R E

6
allnewtome
Re: XF-Section Security Vulnerability
  • 2006/8/20 13:14

  • allnewtome

  • Not too shy to talk

  • Posts: 175

  • Since: 2005/11/30


Yes but that 1.10->1.11 security bugfix was already commented out in modify.php in v1.10.

I was asking what modify.php is for.

Sorry/thanks

EDIT - I will install that version until I decide which alternative module to use - thank you very much.

Login

Who's Online

373 user(s) are online (275 user(s) are browsing Support Forums)


Members: 0


Guests: 373


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits