Expose Flash Gallery RC4 vulnerability

maxzz · **Joined:** Fri Aug 24, 2007 7:12 pm **Posts:** 1

My site also was defaced. I didn't know what happened, because my provider stopped logging >:(

a while ago. but now I know, I also found the rr.php and other stuff. It's great to have a patch so soon, keep up the great job.

Thanks maxzz

doctorj · **Posted:** Thu Sep 06, 2007 2:49 am

thx!!!!

kleines_d · **Joined:** Fri Sep 07, 2007 7:12 am **Posts:** 2

hi,

i just found this thread yesterday. i'm also using the expose gallery and had some .php's in my img folder. i deleted them all and patched the gallery to 4.6.1 as described. how can i now find out, if the hacker has changed more files on the server? on the first view everything looks ok, but i dont know how to check it?

In my webstats i found one referrer url from zone-h.org to my site! does someone knows what that means?

thx a lot

yours kleines_d

Tokapi · **Posted:** Fri Sep 07, 2007 5:07 pm

Sync it with your latest backup. Fixed my site in no time like this.

kleines_d · **Joined:** Fri Sep 07, 2007 7:12 am **Posts:** 2

hi thx for ur answer. but what do u mean with sync exactly? i have a backup, but how can i syncronize it?

Tokapi · **Posted:** Sat Sep 08, 2007 3:24 pm

Synchronizing = checking the contents of two (or more) directories and its sub-directories, by replacing/deleting/adding the destination files with the latest/missing/added source files depending your settings. So you need to unzip the backup locally and sync it by FTP with your server contents. I use the free version of SyncBack for it. It will show all differences before changing anything.

samoht · **Joined:** Thu Dec 07, 2006 9:35 pm **Posts:** 3

my webpage was hacked yesterday, unfortunaletly i used RC 3.5 :-[

The guys found my page via http://www.google.com.tr/search?q=fan+%3Dcom_expose&hl=tr&start=60&sa=N

They altered the index.php.
I restored a clean backup and uninstalled expose.

That's all folks.

Tokapi · **Posted:** Mon Sep 24, 2007 3:01 pm

...the reason why you need to update your components from time to time

Issue solved in 4.6.1. Download at http://joomlacode.org/gf/project/expose/frs/

EMRhelp · **Joined:** Sat Aug 20, 2005 4:12 pm **Posts:** 463

Tokapi wrote:

Sync it with your latest backup. Fixed my site in no time like this.

My Expose got hacked as well..
How exactly do you do this ?

EMRhelp · **Joined:** Sat Aug 20, 2005 4:12 pm **Posts:** 463

My hacker redirected my website to his page.

I search my MySQL db for their URL via phpmyadmin.

jos_menu (1 of these)
jos_categories (2 of these)

(link now dead)

Once I have removed these ... all seems well. I think I have a backup. I'll have to see how good it is.

I *ALMOST* got good at backing up before the hack

shotokai · **Joined:** Wed May 17, 2006 2:57 pm **Posts:** 4

Some components can be 'upgraded' - what is the path with Expose? I have 4.6, got hacked. fixed the hack and the holes (removed the vunerable files and the foreign php files from the hacker). What is the least painful way to upgrade to 4.6.1?

Tokapi · **Posted:** Mon Oct 08, 2007 3:44 pm

Quote:

What is the least painful way to upgrade to 4.6.1

Download the patch file from http://joomlacode.org/gf/project/expose/frs/ and apply the changes like described in the included readme file.

Quote:

Sync it with your latest backup. Fixed my site in no time like this.

I always have an offline copy of the site somewhere. Just use a sync/backup/restore-tool (like SyncBack or so) to merge this copy with the live site, and all differences will appear. It's up to you how to define the profile what the tool should do with the differences.
Note: besides the files, you'll neep an SQL backup too (with phpmyadmin)!

may_bailey · **Joined:** Tue Oct 03, 2006 8:09 pm **Posts:** 135

Hi all,,

I have installed expose 4.6.1 but I couldnt see any file called uploadimg.php addressed like :
administrator/components/com_expose/uploadimg.php

Has the bug been fixed or do I have to make any changes for any file??

Thanks a lot

Tokapi · **Posted:** Sat Nov 17, 2007 4:23 pm

Yes, you only need to remove this file in RC4. Expose 4.6.1 and now 4.6.2 are patched.

jaylenong · **Joined:** Fri Sep 28, 2007 6:38 am **Posts:** 13

Hi,

I just installed Expose 4.6.2 and still found these 5 files have no _VALID_MOS.

SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Actions.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/app/php5Executive.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFDeserializer.php File does not contain _VALID_MOS. Read more
SECURITY /components/com_expose/expose/manager/amfphp/amf-core/io/AMFSerializer.php File does not contain _VALID_MOS. Read more

Adding _VALID_MOS will make the component not function properly. Can you confirm that by not having _VALID_MOS for these 5 files, it is safe to use Expose? I know there might be another hole from other files, but my concern at least from these 5 files first. Thank you in advance.

Tokapi · **Posted:** Fri Nov 30, 2007 6:06 pm

Amfphp is a Remote Procedure Call plugin, used for seamless communication between flash and php (and other languages). Depending its developers (http://amfphp.sourceforge.net), it should be safe, and we didn't found any hack using this plugin yet.
The risk depends on how the tool is communicating between, in our situation, flash and php.

Joomla! Discussion Forums

Expose Flash Gallery RC4 vulnerability

Quick reply

Who is online