Re: Possible security problem !!! [XOOPS general usage questions]

1

Possible security problem !!!

2004/5/21 17:27
intmoves
Just popping in
Posts: 13
Since: 2004/5/21

I am building a (dutch language) portal using XOOPS and I encountered a problem. Today I found that several of the PHP-scripts where compromised and selecting certain options on my xoops-based website gave me a error saying that a scripts was called that is not in the base-path of the server. The error also showed the (wrong) path and it doesn't exist on my own server. Apparently some command was inserted into the scripts to call a, possible malicious, script residing somewhere outside my own hosting server. Luckilly the server didn't allow the execution of the remote script but the xoops-installation was no longer useable as it was locking up into the same error (pertaining the strange path) almost on each function of the portal.

After replacing all the files in the modules-directory the problem went away. Just to be on the save side I also replaced the PHP-files in the website root-directory.

The problem is obvious: how can someone put code into the xoops-scripts that tries to execute malicious code. Does anyone has simmilar experiences and if so, is there a solution to this problem ?

2

Re: Possible security problem !!!

2004/5/21 18:07
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

Have you contacted your hosting company to hear if it was a problem at their end?

XOOPS is not guaranteed to be bug-free or impossible to hack through, but if your server does not have write access to php files, a php script cannot change the content of the files.

Check that only cache, templates_c and uploads folders are writable by the server.

3

Re: Possible security problem !!!

2004/5/21 18:25
intmoves
Just popping in
Posts: 13
Since: 2004/5/21

Thanks for the quick reply. I'm still working on the problem as it seems that the problem is in almost all the PHP-files. It certainly looks like something that is going on on the ISP's server (virus-like tmo).

Just for your information, here is the exact error I get (as it is still apearing while I'm re-testing my site):

Warning: Unknown(): open_basedir restriction in effect. File(/home/oakdome/cafe/lgf-reflog-searchv3.php) is not within the allowed path(s): (/home/webregio:/tmp) in Unknown on line 0

Warning: Unknown(/home/oakdome/cafe/lgf-reflog-searchv3.php): failed to open stream: Operation not permitted in Unknown on line 0

Warning: (null)(): Failed opening '/home/oakdome/cafe/lgf-reflog-searchv3.php' for inclusion (include_path='.:/usr/share/pear') in Unknown on line 0

Still investigating

4

Re: Possible security problem !!!

2004/5/21 18:46
intel352
Module Developer
Posts: 824
Since: 2003/11/23

looks like php safemode is currently enabled, that causes problems for some scripts

have you tried using just the default theme to see if the errors still occur? also try deleted all cache, templates_c files to remove cached files, maybe it's an error in the cache somewhere

also, which home directory is yours? i see at least 2 mentioned

5

Re: Possible security problem !!!

2004/5/21 18:55
intmoves
Just popping in
Posts: 13
Since: 2004/5/21

I'm currently setting all PHP-files to 444 access as it seems that the server is changing them. After reinstalling all the module-files some where already compromised again. It might indeed be a problem with my ISP as one of my other websites had certain problems last week and that one is running on Geeklog so it might not be related to XOOPS at all.

As for the safemode setting, this site has been running without problems for a week now, the problems appeared today.
FYI, my homedir is home/webregio... the other one is the wrong one. Oh, and cache is disabled for all modules.

6

Re: Possible security problem !!!

2004/5/21 19:26
intel352
Module Developer
Posts: 824
Since: 2003/11/23

cache is still used in templates_c for theme files, fyi (default function of XOOPS it seems)

check your raw http logs, see if anyone is touching your files from the outside somehow

btw, if someone has access to your files from within the server (i.e.- another user's account), it might not matter if you set it to 444, just a though

make sure you report this to your provider, it could be that other user directory is malicious or has written a script that is somehow affecting the whole server.. not sure of the possibilities

7

Re: Possible security problem !!!

2004/5/21 19:29
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

Quote:

bd_csmc wrote:
cache is still used in templates_c for theme files, fyi (default function of XOOPS it seems)

no - the _c in templates_c means "compiled" i.e. php code compiled from Smarty code.

8

Re: Possible security problem !!!

2004/5/21 19:47
intel352
Module Developer
Posts: 824
Since: 2003/11/23

ah, sorry, i assumed it was a cache for files that smarty had processed (i guess that is a valid way of understanding it, since the files are saved in a folder for repeated use

)

thanks for clarifying tho (and i have noticed that when modifying a theme, for immediate results you have to delete the themename^html file in templates_c, which is why i was saying he might want to delete files generated in templates_c, to make them regenerate fresh)

9

Re: Possible security problem !!!

2004/5/21 20:52
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

That, on the other hand, is true - but you get the same recompilation by enabling the "update module templates from themes/yourtheme folder" setting.

10

Re: Possible security problem !!!

2004/5/21 22:13
intmoves
Just popping in
Posts: 13
Since: 2004/5/21

OK guys, thanks for the support. I'm feeling quite welcome

I've contacted my ISP and they replied it has something to do with the PHP-version they are running. They also said it should be fixed for now (not sure what they actually did) and they will be upgrading to another PHP-version soon. Not sure yet what to make of it, but it will do for now.

Sorry for crying wolf.... just got a bit paranoid as I have seen all kinds of trouble last week with several of my sites.

One last question (for now): with Geeklog we have a visitor-stats plugin that shows what pages are being viewed by a certain visitor (based on IP-number). Is there something similar for XOOPS ?

Stats
Goal:	$100.00
Due Date:	Sep 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Re: Possible security problem !!!

Login

Search

Recent Posts

Re: sbadmin5 - Bootstrap 5 Theme

sbadmin5 - Bootstrap 5 Theme

Re: XoopsFaq for 2.5.10

XoopsFaq for 2.5.10

Re: activate block by default

Re: wgFilemanager released for testing and contribution

Re: wgFilemanager released for testing and contribution

Re: activate block by default

activate block by default

Re: wgFilemanager released for testing and contribution

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}