The Joomla! Forum ™





Post new topic Reply to topic  [ 11 posts ] 
Author Message
PostPosted: Sun Jul 30, 2006 10:33 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jul 30, 2006 10:10 am
Posts: 1
My site got hacked twice, nothing too serious so far as only the index.php was replaced with something in Turkish.

The first time I noticed by looking at the statistics that the last visitor before the hack was an IP from Turkey that searched "com_extcalendar" on Google and thus found my site. I've since sorted com_extcalendar out.

Yesterday second hack and again the last visitor that appeared on the statistics was an IP from Turkey but this time searched "com_uhp" on Google, quite a few of the other sites that appeared on the Google results page had also been hacked in exactly the same way.

Are there any security issues with com_uhp? I've  removed it from the server from the time being although it does not seem to be in the list of dangerous components. Any thoughts on the matter?


Last edited by RobS on Thu Aug 10, 2006 8:30 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Jul 30, 2006 3:10 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
Author: Hasibuan

Input passed to the "mosConfig_absolute_path" is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

vuln: uhp_config.php

Code:
global $mosConfig_absolute_path;
require($mosConfig_absolute_path."/administrator/components/com_uhp/uhp_config.inc");
?>


Have a nice day
Gustavo Raúl Aragón

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Top
 Profile  
 
PostPosted: Sun Jul 30, 2006 3:27 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17327
Location: **Translation Matters**
Merged this 2 topics as they are related.
Thanks Gustavo.  :)

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Sun Jul 30, 2006 3:33 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17327
Location: **Translation Matters**
Is'nt footer.php also a problem in version 1.1.1 ?
Quote:
global $mosConfig_absolute_path, $uhp;
require($mosConfig_absolute_path."/administrator/components/com_uhp2/uhp2_config.inc");

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 1:22 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
There is an exploit in the wild but no details of which version is vulnerable.
The latest available version is V1.1. You can get it here: http://www.ravensportal.co.uk/
At this time I don't know if that version is vulnerable.

I have notified the developers.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 1:47 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10525
Location: Leeds, UK
The vulnerable version is 0.5

http://secunia.com/advisories/21305/

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 1:57 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
The report I have seen clearly states UHP2, but not which version of 2.
Anyway, as I said, I have contacted the developers so no doubt we will soon have more information.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 2:00 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17327
Location: **Translation Matters**
Already posted here:
http://forum.joomla.org/index.php/topic,81308.0.html

If no one minds (I'lll wait), I will merge these 2 threads and change title to reflect

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
PostPosted: Mon Jul 31, 2006 10:57 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Sep 15, 2005 3:06 pm
Posts: 79
Location: Glasgow
Hi,

I'm the developer of UHP and UHP2 and can confirm the vlunerability..  :(

New versions are available for download from http://www.ravenswoodit.co.uk

If you are running UHP I would recommend upgrading to UHP2 as it is under active development, whereas UHP is effectively dead..

Cheers

John

_________________
UHP2 - now available for Joomla 1.5

Professional Joomla/Mambo development
Ravenswood IT Services - http://www.ravenswoodit.co.uk


Top
 Profile  
 
PostPosted: Tue Aug 01, 2006 1:37 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Jeepers, you are quick John!  You really do deserve your reputation of being security-conscious devs. I am impressed with the fast turnaround. Thank you.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Tue Aug 01, 2006 4:10 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Added to the list of vulnerable components with reference to the update.  Thanks for dealing with it so quickly. 

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 



Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group