Page 1 of 1
[UPGRADE AVAIL.] User Home Page versions 0.5 and 2
Posted: Sun Jul 30, 2006 10:33 am
by troopy
My site got hacked twice, nothing too serious so far as only the index.php was replaced with something in Turkish.
The first time I noticed by looking at the statistics that the last visitor before the hack was an IP from Turkey that searched "com_extcalendar" on Google and thus found my site. I've since sorted com_extcalendar out.
Yesterday second hack and again the last visitor that appeared on the statistics was an IP from Turkey but this time searched "com_uhp" on Google, quite a few of the other sites that appeared on the Google results page had also been hacked in exactly the same way.
Are there any security issues with com_uhp? I've removed it from the server from the time being although it does not seem to be in the list of dangerous components. Any thoughts on the matter?
Re: User Home Page versions 0.5 and 2
Posted: Sun Jul 30, 2006 3:10 pm
by gustavo
Author: Hasibuan
Input passed to the "mosConfig_absolute_path" is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.
vuln: uhp_config.php
Code: Select all
global $mosConfig_absolute_path;
require($mosConfig_absolute_path."/administrator/components/com_uhp/uhp_config.inc");
?>
Have a nice day
Gustavo Raúl Aragón
Re: User Home Page versions 0.5 and 2
Posted: Sun Jul 30, 2006 3:27 pm
by infograf768
Merged this 2 topics as they are related.
Thanks Gustavo.
Re: User Home Page versions 0.5 and 2
Posted: Sun Jul 30, 2006 3:33 pm
by infograf768
Is'nt footer.php also a problem in version 1.1.1 ?
global $mosConfig_absolute_path, $uhp;
require($mosConfig_absolute_path."/administrator/components/com_uhp2/uhp2_config.inc");
Re: User Home Page versions 0.5 and 2
Posted: Mon Jul 31, 2006 1:22 pm
by Elpie
There is an exploit in the wild but no details of which version is vulnerable.
The latest available version is V1.1. You can get it here:
http://www.ravensportal.co.uk/
At this time I don't know if that version is vulnerable.
I have notified the developers.
Re: User Home Page versions 0.5 and 2
Posted: Mon Jul 31, 2006 1:47 pm
by brian
Re: User Home Page versions 0.5 and 2
Posted: Mon Jul 31, 2006 1:57 pm
by Elpie
The report I have seen clearly states UHP2, but not which version of 2.
Anyway, as I said, I have contacted the developers so no doubt we will soon have more information.
Re: User Home Page versions 0.5 and 2
Posted: Mon Jul 31, 2006 2:00 pm
by infograf768
Already posted here:
http://forum.joomla.org/index.php/topic,81308.0.html
If no one minds (I'lll wait), I will merge these 2 threads and change title to reflect
Re: User Home Page versions 0.5 and 2
Posted: Mon Jul 31, 2006 10:57 pm
by ravenswood
Hi,
I'm the developer of UHP and UHP2 and can confirm the vlunerability..
New versions are available for download from
http://www.ravenswoodit.co.uk
If you are running UHP I would recommend upgrading to UHP2 as it is under active development, whereas UHP is effectively dead..
Cheers
John
Re: [UPGRADE AVAIL.] User Home Page versions 0.5 and 2
Posted: Tue Aug 01, 2006 1:37 pm
by Elpie
Jeepers, you are quick John! You really do deserve your reputation of being security-conscious devs. I am impressed with the fast turnaround. Thank you.
Re: [UPGRADE AVAIL.] User Home Page versions 0.5 and 2
Posted: Tue Aug 01, 2006 4:10 pm
by RobS
Added to the list of vulnerable components with reference to the update. Thanks for dealing with it so quickly.