Joomla! Discussion Forums

Oops! It's not in a function, it's in an if() {...} block. My bad. It's late 


Also, I got messed up a little bit with the branch 1.0 and the trunk. So my comments are for the branch 1.0 (which holds the upcoming Joomla! 1.0.4). In the trunk version, it seems that sef was moved into /mambots/system/joomla.sefurlbot.php. But I haven't had a look at that so far, so I might be wrong.


ACK.


Not really, GMT+1, Karlsruhe, Germany. But security issues need to be solved fast, so I had keep an I on my sites.

Thanks for those helping on this one.

Can people try the attached replacement file for globals.php

Try the known attacks with

define( 'RG_EMULATION', 1 );

and

define( 'RG_EMULATION', 0 );

In Joomla! 1.1 we are going to emulate 0 and we are have already changed the usage of $mosConfig_absolute_path to a defined constant (JPATH_SITE).

Let me know how you go.

Works quite good for me. No attack came trough (because there is no _SESSION in the frontend, see below).


Still, there are two important things:

• With register_globals=On in php.ini, unregisterGlobals() is executed always (line 104).
• Typo in line 26: _sessions must be _session

Another small thing is this:

I would prefer that constant just the other way around. 0 or false for RG=off, 1 or true for RG=on.


Are you also going to adress the issue in includes/sef.php? I think instead of

your function checkInputArray should be called (depending on the setting of "RG_EMULATION").

Hi all,

just for the record - how does this Mambo solution work?

http://forum.mamboserver.com/showthread.php?t=65917

If it works, it would at least be an easy way to quickly fix this issue.

I think it uses an equivalent appraoch to the globals.php, masterchief  posted before: dieing off, if any blocked global variable is found within the request.


This is not necessary, as the script should have died when the globals-patch is applied not reaching to sef.

I second this... in addition I'd prefer a mode to deactivate any additional behavior... why not just use the PHP setting by default?


Would almost work as well... just that it is not "_GLOBALS" but "GLOBALS" (and it will not work in PHP < 4.2.0).
Also I am not sure whether the case could create a problem... on purpose the previous checks did ignore the case... for example I am not sure whether any harm can be done with $globals instead of $GLOBALS.
Beside those it does not differ a lot from the versions posted here....

By myself I believe that not telling the attacker immediately that there is such check done (using die with a message or at all) makes it less easy for an attacker to see which installations are worth to hack. It is a bit like not telling after a failed login whether the password was just wrong or even the user name does not exist.


Unfortunatelly I think that is not true, because it is a newly built $_GET array according to the SEF-URL.

Regarding this, included configuration.php after that should reset all configuration variables.
I am not able to duplicate the hack on any on my servers so I can't test but am I missing something?

Erm, you are right globals wouldn't know about it being single key-value pairs.

Well, that's two different things here. Of course, there is no XSS injection possible due to the new globals.php. But sef.php is emulating register_globals=on (at least for GET values). So if you want to have register_globals=off, sef.php plays you a trick.

It's not really necessary to use "checkInputArray" in sef.php, but at least $_GET should only be made GLOBAL according to "RG_EMULATION". As we already have "checkInputArray", why shouldn't we use it?

Re Mambo Solution

Yes it's the same except case-sensitivity is a problem in one of the versions of PHP (actually I think there is a switch).

Re Emulation constant

It's set that way because I an saying "what do you want to emulate: on =1, off = 0".  I'll fix the bug you mentioned though.  Thanks.

Currently, it is "on=0, off=1".
I want the same as you are saying: "on=1, off=0".

Or did I miss something?

Darn it, I had it the wrong way round in the comment.  I think I've fixed the logic now so it work correctly.

http://secunia.com/advisories/17622/

MAMBOSERVER.COM HACKED!!!!!

http://www.zone-h.org/en/defacements/view/id=3056290/

Sorry I have to say this, but...
Have a look at the attached patch.

I've been keeping up with the thread, is the patching for the current vulnerability going to be an emergency patch, or is this something that will wait until the next release?

There's a thread about it too in this forum.

This one: http://forum.joomla.org/index.php/topic,19692.0.html

It cant wait!

see http://www.mamboserver.com - its hacked
and I am working on fixing several others as well.

ok. Thanks Phil.

I think this really should go out as soon as possible! It's an XSS vulnerability, and all Joomla/Mambo based sites are currently open for attackers as much as the can be! Everyone can execute every PHP code he wants to on your server!

Not good. Thank you for helping with this friesengeist.

So, what is the best for now to do?
Apply the Mamboserver patch to Joomla sites as well?
http://forum.mamboserver.com/showthread.php?t=65917

Thanks for the update friesengeist.

A problem I found with forcing globals off is that even some core components expect globals (e.g. com_media expects $listdir to be set, hence, having globals off disables to change into subfolders). Someone should check the core for side effects

Don't do that. It's not save! I just checked it out with PHP 4.3.11 and 5.0.3. It's not working at all.
For now, untill an official update is announced, you should be fine by replacing globals.php with the one supplied in this post in this thread.


Just ridiculous what they do... At first, the Mambo guys mix up needle and haystack in in_array(). Secondly, they try to find an array in their $protect. This will always return false, as $protect has no subarrays...

Hiya!

Does the globals.php replacement from this thread also work with Mambo 4.5.2.3?
I still have several sites running Mambo because I haven't had the time to convert them and I wanted to wait until the release of Joomla 1.1.

Also, I lost the track somewhere in this thread as I'm not _that deep_ into core files, so am I vulnerable with one of this configurations:

Hoster 1:
=======
Mambo 4.5.2.3 Stable
PHP 4.3.11
Register Globals: ON

Hoster 2:
=======
Mambo 4.5.2.3 Stable
PHP 4.3.3
Register Globals: OFF

Hoster 3:
=======
Joomla 1.0.3 Stable
PHP 4.4.1
Register Globals: OFF

As far as I got it at least the account at Hoster 2 should be in danger, right?

Thanks in advance,
Kurt

It just works fine with Mambo 4.5.2.3


Depends on your setting of SEF:

• SEF=on -> vulnerable
• SEF off and register_globals=on -> not vulnerable (as far as I know/explored)

Ok, then I'll upload the modified globals.php right now!


Sorry, seems I modified my post while you replied. Do you mind taking a look at Hoster 2 and 3 as well?

Thanks,
Kurt

With register_globals=off and the old globals.php, you are probly vulnerable. As far as I know it makes no difference, which PHP version you are using. I could only test 4.3.11 and 5.0.3 though.

There is some interesting stuff about the backgrounds on http://www.hardened-php.net/index.76.html.

I just replaced globals.php at all the sites running on Hoster 1 and deleted several installations used for demo and testing purposes only.
I'll do the same on the other accounts as well and then check out the link you posted.

Thanks a lot!

Kurt

So.. weekend or not, this issue was posted 3-4 days ago, in the meantime, mamboserver !! has been defaced, so is there going to be a patch available asap, and if so, will it be only for Joomla, or also Mambo 4523?
I do not feel very confortable now, seing you guys discussing these vulenrabilities here on a public forum, so anywone who ahsn't had the idea might want to try now..
Andrew, is your replacement file ready to be used or not, and does it fix all issues?
Thanks.

I understand your concern about discussing this thing here in the forum. But please keep in mind, that

• this issue was already reported on many security sites and security mailing lists. I read about it on friday morning, before I saw it in this forum.
• no information on how to do the attack has been published in this forum. I think that hackers don't get more information on the topic in this forum than they already have from peter MC tachatte's mail
• all important information was sent to Andrew in private mail
• this discussion has brought up some more points to think about. If tested by a wider community, the patch might be more secure than when just tested by a few people.

Just my 2 Cents...
Enno