Expose Flash Gallery RC4 vulnerability
Moderator: General Support Moderators
Forum rules
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Aug 24, 2007 7:12 pm
Re: Expose Flash Gallery RC4 vulnerability
My site also was defaced. I didn't know what happened, because my provider stopped logging a while ago. but now I know, I also found the rr.php and other stuff. It's great to have a patch so soon, keep up the great job.
Thanks maxzz
Thanks maxzz
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
-
- Joomla! Fledgling
- Posts: 2
- Joined: Fri Sep 07, 2007 7:12 am
Re: Expose Flash Gallery RC4 vulnerability
hi,
i just found this thread yesterday. i'm also using the expose gallery and had some .php's in my img folder. i deleted them all and patched the gallery to 4.6.1 as described. how can i now find out, if the hacker has changed more files on the server? on the first view everything looks ok, but i dont know how to check it?
In my webstats i found one referrer url from [ ** removed hacker's list (kudos) **] to my site! does someone knows what that means?
thx a lot
yours kleines_d
i just found this thread yesterday. i'm also using the expose gallery and had some .php's in my img folder. i deleted them all and patched the gallery to 4.6.1 as described. how can i now find out, if the hacker has changed more files on the server? on the first view everything looks ok, but i dont know how to check it?
In my webstats i found one referrer url from [ ** removed hacker's list (kudos) **] to my site! does someone knows what that means?
thx a lot
yours kleines_d
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
Sync it with your latest backup. Fixed my site in no time like this.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Fri Sep 07, 2007 7:12 am
Re: Expose Flash Gallery RC4 vulnerability
hi thx for ur answer. but what do u mean with sync exactly? i have a backup, but how can i syncronize it?
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
Synchronizing = checking the contents of two (or more) directories and its sub-directories, by replacing/deleting/adding the destination files with the latest/missing/added source files depending your settings. So you need to unzip the backup locally and sync it by FTP with your server contents. I use the free version of SyncBack for it. It will show all differences before changing anything.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Thu Dec 07, 2006 9:35 pm
Re: Expose Flash Gallery RC4 vulnerability
my webpage was hacked yesterday, unfortunaletly i used RC 3.5
The guys found my page via http://www.google.com.tr/search?q=fan+% ... rt=60&sa=N
They altered the index.php.
I restored a clean backup and uninstalled expose.
That's all folks.
The guys found my page via http://www.google.com.tr/search?q=fan+% ... rt=60&sa=N
They altered the index.php.
I restored a clean backup and uninstalled expose.
That's all folks.
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
...the reason why you need to update your components from time to time
Issue solved in 4.6.1. Download at http://joomlacode.org/gf/project/expose/frs/
Issue solved in 4.6.1. Download at http://joomlacode.org/gf/project/expose/frs/
-
- Joomla! Guru
- Posts: 510
- Joined: Sat Aug 20, 2005 4:12 pm
Re: Expose Flash Gallery RC4 vulnerability
My Expose got hacked as well..Tokapi wrote: Sync it with your latest backup. Fixed my site in no time like this.
How exactly do you do this ?
-
- Joomla! Guru
- Posts: 510
- Joined: Sat Aug 20, 2005 4:12 pm
Re: Expose Flash Gallery RC4 vulnerability
My hacker redirected my website to his page.
I search my MySQL db for their URL via phpmyadmin.
jos_menu (1 of these)
jos_categories (2 of these)
(link now dead)
Once I have removed these ... all seems well. I think I have a backup. I'll have to see how good it is.
I *ALMOST* got good at backing up before the hack
I search my MySQL db for their URL via phpmyadmin.
jos_menu (1 of these)
jos_categories (2 of these)
(link now dead)
Once I have removed these ... all seems well. I think I have a backup. I'll have to see how good it is.
I *ALMOST* got good at backing up before the hack
-
- Joomla! Fledgling
- Posts: 4
- Joined: Wed May 17, 2006 2:57 pm
Re: Expose Flash Gallery RC4 vulnerability
Some components can be 'upgraded' - what is the path with Expose? I have 4.6, got hacked. fixed the hack and the holes (removed the vunerable files and the foreign php files from the hacker). What is the least painful way to upgrade to 4.6.1?
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
Download the patch file from http://joomlacode.org/gf/project/expose/frs/ and apply the changes like described in the included readme file.What is the least painful way to upgrade to 4.6.1
I always have an offline copy of the site somewhere. Just use a sync/backup/restore-tool (like SyncBack or so) to merge this copy with the live site, and all differences will appear. It's up to you how to define the profile what the tool should do with the differences.Sync it with your latest backup. Fixed my site in no time like this.
Note: besides the files, you'll neep an SQL backup too (with phpmyadmin)!
-
- Joomla! Enthusiast
- Posts: 166
- Joined: Tue Oct 03, 2006 8:09 pm
Re: Expose Flash Gallery RC4 vulnerability
Hi all,,
I have installed expose 4.6.1 but I couldnt see any file called uploadimg.php addressed like :
administrator/components/com_expose/uploadimg.php
Has the bug been fixed or do I have to make any changes for any file??
Thanks a lot
I have installed expose 4.6.1 but I couldnt see any file called uploadimg.php addressed like :
administrator/components/com_expose/uploadimg.php
Has the bug been fixed or do I have to make any changes for any file??
Thanks a lot
Just May Bailey
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
Yes, you only need to remove this file in RC4. Expose 4.6.1 and now 4.6.2 are patched.
-
- Joomla! Apprentice
- Posts: 13
- Joined: Fri Sep 28, 2007 6:38 am
Re: Expose Flash Gallery RC4 vulnerability
Hi,
I just installed Expose 4.6.2 and still found these 5 files have no _VALID_MOS.
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Actions.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/php5Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFDeserializer.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFSerializer.php File does not contain _VALID_MOS. Read more
Adding _VALID_MOS will make the component not function properly. Can you confirm that by not having _VALID_MOS for these 5 files, it is safe to use Expose? I know there might be another hole from other files, but my concern at least from these 5 files first. Thank you in advance.
I just installed Expose 4.6.2 and still found these 5 files have no _VALID_MOS.
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Actions.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/php5Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFDeserializer.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFSerializer.php File does not contain _VALID_MOS. Read more
Adding _VALID_MOS will make the component not function properly. Can you confirm that by not having _VALID_MOS for these 5 files, it is safe to use Expose? I know there might be another hole from other files, but my concern at least from these 5 files first. Thank you in advance.
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
Amfphp is a Remote Procedure Call plugin, used for seamless communication between flash and php (and other languages). Depending its developers (http://amfphp.sourceforge.net), it should be safe, and we didn't found any hack using this plugin yet.
The risk depends on how the tool is communicating between, in our situation, flash and php.
The risk depends on how the tool is communicating between, in our situation, flash and php.