The exploit affects the JCE Extension versions less than or equal to (<=) 2.0.10 The hack exploits or attempts to exploit any of these plugins for JCE. The Image Manager, Media Manager, Template Manager, and File Manager plugins.
An Auto Shell Uploader exploit is available in the wild that uploads a shell exploit script as a gif file using a vulnerable version of JCE, changing the extension to php upon successful upload. Typical use would be to load the exploit into a bot, and test any sites run against for an exploitable version, then if an exploitable version is found, upload the shell script and rename it.
The shell script is what is usually uploaded using the exploit which leads to the hacker owning the entire domain account (all sites under a master account) even if other sites are not vulnerable; no passwords or usernames required. So, if you have multiple sites under one account or you tend to sell space to multiple clients from the same account then all sites are exposed to the risk of being hacked.
For those who are unfamiliar with a shell script, it shows the exploited account on a hackers computer in a file manager type layout of the entire account. The script enables uploads, downloads, file manipulation and editing, time stamp manipulation, and command line execution of server commands and other possibly more specific or custom things.
By default JCE only allows authors or above access from the front end to the editor. Though the hack likely bypasses this requirement directly.
The patch while apparently effective (I did not attempt the actual hack after applying the patch) does not do what the patch code says it does. The code says that admins and super admins would have full access to the editors image manager button (which is one avenue the hack uses), etc. from the front end and block all other lower user level access, but this is not the case. The code blocks everyone from front end access to things like the image manager button. If that was the intent, a simple die statement would work without first getting the user level.
The code below would allow admins and super admins front end full access to the editor (able to use the image manager, etc.), while blocking front end full access from all other user levels including the back end lower level (manager) users, or it did in my test environment (J! 1.5.26 and JCE 1.5.7.4). The code replaces all of what is in the jce_patch.php file.
Code: Select all
<?php
// by Phil DeGruy, patch
// -----------------------------------------------------------------------------------------------
// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );
// get user
$user = &JFactory::getUser();
if ((@$_GET['option'] == 'com_jce') || (@$_POST['option'] == 'com_jce'))
{
// test user level and do something
if (($user->usertype == "Super Administrator") ||
($user->usertype == "Administrator")) {
return;
}
else
echo "<h3><div style='text-align:center; color:red'>", $user->usertype, " user level access to this JCE Editor function has been Denied</div></h3>";
die;
}
?>