31
frankblack
Re: myxoops.org hacked!
  • 2005/9/7 19:01

  • frankblack

  • Just can't stay away

  • Posts: 830

  • Since: 2005/6/13


Quote:
Neither Newbb 2.* nor CBB 1.*/2.* has the vulnerability.


Good to know, but this makes me fear that the attacker had another hole. And no, Protector wasn't installed. The Protector was installed, but later deinstalled because of problems.

32
ZPC
Re: myxoops.org hacked!
  • 2005/9/7 21:49

  • ZPC

  • Official Support Member

  • Posts: 76

  • Since: 2002/1/16


this is getting scary ... I noticed several sites being hacked ... e.g. Imago Themes (http://xoops.imagocn.net/modules/news/) - and that's what I call a gentle hack.

The reasons seem to me clear - keep your site updated.

33
jaquita
Re: myxoops.org hacked!
  • 2005/9/7 22:05

  • jaquita

  • Just popping in

  • Posts: 22

  • Since: 2005/9/4 1


Quote:

Antoine wrote:
Theoretically: Yes. Would have to check the sanitation of all variables involved to be sure. Don't think anything as obvious as the main message body can be used to XSS though.


Is it possible for somebody to upload something that *purports* to be a image but is in fact an executable script of some kind. IOW, is there any upload area in XOOPS that may accept various types of restricted uploads that may not be scanning the files as designed?

Looking through the logs once again, the very last GET before the POST from user.php was for "uploads/blank.gif". At that last GET the user had a SESSIONID and one IP, when the POST happened the user had the same SESSIONID with a different IP.

Is there a correlation there?


jaquita

34
phppp
Re: myxoops.org hacked!
  • 2005/9/7 22:09

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


Quote:

ZPC wrote:
this is getting scary ... I noticed several sites being hacked ... e.g. Imago Themes (http://xoops.imagocn.net/modules/news/) - and that's what I call a gentle hack.

The reasons seem to me clear - keep your site updated.


Yes, imago is still using XOOPS 2.05, the same situation with astonthemes.

And I would say XML-RPC hole, which was fixed in XOOPS 2.013 contributes to most of the cracks.

35
Antoine
Re: myxoops.org hacked!
  • 2005/9/12 8:31

  • Antoine

  • Friend of XOOPS

  • Posts: 112

  • Since: 2004/11/14


Quote:

jaquita wrote:
Is it possible for somebody to upload something that *purports* to be a image but is in fact an executable script of some kind.

Yes it is. You can upload any type of file as an avatar, as long as it isn't too large and has an allowed extension. These invalid images being referenced in an IMG tag's SRC attribute however don't pose a threat. I don't see a way to get these "bogus" images in the /upload directory included in any .php file as source.

Quote:

jaquita wrote:
Looking through the logs once again, the very last GET before the POST from user.php was for "uploads/blank.gif". At that last GET the user had a SESSIONID and one IP, when the POST happened the user had the same SESSIONID with a different IP.

Not entirely sure, but I think blank.gif is used as placeholder when a person doesn't have an avatar. Only indicates to me that the valid session-holder was probably viewing the forums right before someone else hijacked his session. No easy way to determine what was wrong unless you can replicate all the database info of the posts this user was viewing at the time this incident occured.
Though noted that the last viewed page doesn't neccesarily have to be that one with the exploit on it. It could have been any page before that during the same session.

36
MadFish
Re: myxoops.org hacked!
  • 2005/9/12 10:21

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


Quote:
And I would say XML-RPC hole, which was fixed in XOOPS 2.013 contributes to most of the cracks.


We are fairly sure this was how our colleagues site in Vietnam was cracked (yes, he was running an old version).

If you haven't patched your site, you really had better. This isn't some obscure hole, detailed instructions have been published that even a monkey could use.

Login

Who's Online

55 user(s) are online (26 user(s) are browsing Support Forums)


Members: 0


Guests: 55


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits