[PATCH AVAIL.] OpenSEF 2.0.0 RC5

[Taikonaut]

OpenSEF 2.0.0. RC5 SP2 is vulnerable TOO!!!

check: http://www.securityfocus.com/bid/19600

My site got hacked via RFI (after finding the log-entry I tried it myself) and removing OpenSEF made the shell access script not working anymore.

• Delete all bad SEF-URLs in OpenSEF
• Export the good ones to a csv using OpenSEF
• Remove OpenSEF via Component installer
• Install sh404SEF
• Import the OpenSEF-CSV-Export

You won't see any differences in the frontend but now your site is safe again!

Regards,
Taiko

[teclive]

does sh404SEF work with joomla Joomla! 1.0.15 ?

the site i am workign on has been hit 4 times in the past 2 weeks and always through com_sef which is the open sef component so i need to get it changed, but cant afford to lose the already existing urls..i would be shot on spot if i lose any info

[Taikonaut]

@teclive:

Yes, it does!!! I did what i wrote above several times with sites running 1.0.13 and 1.0.15 without having any problems!

just delete the unpublished and invalid urls in opensef, export the urls (not the config etc) in csv format and import it afterwards to SH404SEF.

@mods: please update the vulnerability list!! Its quite urgent because many people use it.

[teclive]

--Tis ok, i found the import option--

Thanks a bunch for your advice my friend
itook your advice and uninstalled opensef and installed the 404sef but i dont see a place in the admin to import the cvs file so i have lost all the urls on the live site big trouble for me

[teclive]

ok...got a problem

Code: Select all

http://www.huomah.com

if you click on any links on the left hand side, you get an error

Parse error: syntax error, unexpected T_STRING in /home/huomahc/public_html/components/com_sef/cache/shCacheContent.php on line 227

however, if you use any of the top links they are fine.. (ok just checked again, seems all top ones are not fine)

i dont know if its because of the '_' in the urls or not

please help

[teclive]

the only urls i can get to on the site, are default ones, i cant even get to the main page anymore

Code: Select all

http://www.huomah.com/component/option,com_sefservicemap/Itemid,58/

[teclive]

i looked at the line of code in the file it was saying the error was in..

it seems that its a ' in the url, its supposed to be part of the url though

line 15

Code: Select all

$shURLDiskCache[9]='index.php?option=com_content&Itemid=37&id=21&lang=en&task=view#personal/family-life/elisia's-left-out.html#1';

the apostrophy is highlighted in my editor, in the word 'elisia's '

was able to fix the problem above, but now its spitting out something else, error on a new line, but this line reads as...

Code: Select all

$shURLDiskCache[113]='index.php?option=com_content&Itemid=66&id=151&lang=en&task=view#search-engines/algorithm-matters/stay-off-the-lsi-bandwagon.html#1';

i dont get the problem i dont see anything wrong in that line

[Taikonaut]

actually, this is the wrong thread for a discussion how to migrate from opensef to sh404sef. this thread is for security issues!!!

got to: http://forum.joomla.org/viewtopic.php?f ... 1#p1228751

[teclive]

sorry about that, i guess i lost track of where i was when i went into panic mode

thanks for brining it to my attention

[Predator]

@Taikonaut
The Securityreport you where mention above has been retired: http://www.securityfocus.com/bid/19600/info as stated here http://www.securityfocus.com/archive/1/ ... 0/threaded this BID has been retired because this issue is not exploitable. So better check again your logs.

[Taikonaut]

@Predator

Thanks for your reply!

To find out where my vulnerability was, I successively uninstalled one component after another and tested the hack script each time. After uninstalling OpenSEF 2.0.0. RC5 SP2 the script didn't work anymore.

I'll have another look at my log files!

[Predator]

No prob, was just a hint that the mentioned issue was not exploitable so there must be an other issue in Opensef (if it is the culprit) or somewhere if not.

As i saw this report was from 2006-08-19 00:00:00 so the patch in this Thread was fixing this, so not sure which Version you have or got.