Expose Flash Gallery RC4 vulnerability

[maxzz]

My site also was defaced. I didn't know what happened, because my provider stopped logging  a while ago. but now I know, I also found the rr.php and other stuff. It's great to have a patch so soon, keep up the great job.

Thanks maxzz

[doctorj]

thx!!!! 

[kleines_d]

hi,

i just found this thread yesterday. i'm also using the expose gallery and had some .php's in my img folder. i deleted them all and patched the gallery to 4.6.1 as described. how can i now find out, if the hacker has changed more files on the server? on the first view everything looks ok, but i dont know how to check it?

In my webstats i found one referrer url from [ ** removed hacker's list (kudos) **] to my site! does someone knows what that means?

thx a lot

yours kleines_d

[Tokapi]

Sync it with your latest backup. Fixed my site in no time like this.

[kleines_d]

hi thx for ur answer. but what do u mean with sync exactly? i have a backup, but how can i syncronize it?

[Tokapi]

Synchronizing = checking the contents of two (or more) directories and its sub-directories, by replacing/deleting/adding the destination files with the latest/missing/added source files depending your settings.  So you need to unzip the backup locally and sync it by FTP with your server contents.  I use the free version of SyncBack for it. It will show all differences before changing anything.

[samoht]

my webpage was hacked yesterday, unfortunaletly i used RC 3.5 
The guys found my page via http://www.google.com.tr/search?q=fan+% ... rt=60&sa=N

They altered the index.php.
I restored a clean backup and uninstalled expose.

That's all folks.

[Tokapi]

...the reason why you need to update your components from time to time
Issue solved in 4.6.1. Download at http://joomlacode.org/gf/project/expose/frs/

[EMRhelp]

Sync it with your latest backup. Fixed my site in no time like this.

My Expose got hacked as well..
How exactly do you do this ? 

[EMRhelp]

My hacker redirected my website to his page.

I search my MySQL db for their URL via phpmyadmin.

jos_menu (1 of these)
jos_categories (2 of these)

(link now dead)

Once I have removed these ... all seems well. I think I have a backup. I'll have to see how good it is.

I *ALMOST* got good at backing up before the hack

[shotokai]

Some components can be 'upgraded' - what is the path with Expose?  I have 4.6, got hacked.  fixed the hack and the holes (removed the vunerable files and the foreign php files from the hacker).  What is the least painful way to upgrade to 4.6.1?

[Tokapi]

What is the least painful way to upgrade to 4.6.1

Download the patch file from http://joomlacode.org/gf/project/expose/frs/ and apply the changes like described in the included readme file.

Sync it with your latest backup. Fixed my site in no time like this.

I always have an offline copy of the site somewhere. Just use a sync/backup/restore-tool (like SyncBack or so) to merge this copy with the live site, and all differences will appear. It's up to you how to define the profile what the tool should do with the differences.
Note: besides the files, you'll neep an SQL backup too (with phpmyadmin)!

[may_bailey]

Hi all,,

I have installed expose 4.6.1 but I couldnt see any file called uploadimg.php addressed like :
administrator/components/com_expose/uploadimg.php

Has the bug been fixed or do I have to make any changes for any file??

Thanks a lot

[Tokapi]

Yes, you only need to remove this file in RC4.  Expose 4.6.1 and now 4.6.2 are patched.

[jaylenong]

Hi,

I just installed Expose 4.6.2 and still found these 5 files have no _VALID_MOS.

SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Actions.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/php5Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFDeserializer.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFSerializer.php File does not contain _VALID_MOS. Read more

Adding _VALID_MOS will make the component not function properly. Can you confirm that by not having _VALID_MOS for these 5 files, it is safe to use Expose? I know there might be another hole from other files, but my concern at least from these 5 files first. Thank you in advance.

[Tokapi]

Amfphp is a Remote Procedure Call plugin, used for seamless communication between flash and php (and other languages). Depending its developers (http://amfphp.sourceforge.net), it should be safe, and we didn't found any hack using this plugin yet.
The risk depends on how the tool is communicating between, in our situation, flash and php.