The Joomla! Forum ™





Post new topic Reply to topic  [ 96 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
PostPosted: Mon Jul 10, 2006 11:17 am 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
The FacileForms site today also got defaced by somebody calling himself GokTurk, he replaced configuration.php.

We are running joomla 1.0.10. We were before running mambo 4.5.2 and never had any such problem.

From the server logs it could also be a vulnerability in com_docman instead of Joomla itself, but this is yet unconfirmed.

The offending IP was 85.108.211.155, belonging to TurkTelecom. All IP's of TurkTelecom have been locked out from the FacileForms for security, and I highly recommend every Joomla user to do the same until this security hole is fixed. Also make sure your configuration.php is write protected (chmod 444)


Last edited by RobS on Wed Jul 19, 2006 5:01 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 11:27 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
It would be extremely helpful if you could send me a copy of the relevant log information by PM or contact me by PM and I will give you my email address.  I have seen a couple of reports of an issue but have not seen any logs or indication as to what they are actually doing. 

Thanks

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 11:29 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1118
Location: Weymouth, UK
I personally helped someone yesterday who had Joomla 1.0.10 and got hacked - but it was a SimpleBoard hack and not a joomla hack

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 11:30 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10530
Location: Leeds, UK
Yes well I posted a known vulnerability announcement in this forum about simpleboard sometime ago.

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 11:41 am 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
I cannot exclude simpleboard at this time, but I'm still anayzing the logs.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 11:48 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Correct, there have also been reports of another vulnerability in Simpleboard that we are investigating.  From what I understand, Simpleboard isn't maintained for Joomla anymore and was replaced by an offshoot Joomlaboard.  I have tried to go to the Simpleboard maintainer's website but it is having issues.  

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:02 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 10, 2006 11:57 am
Posts: 5
Same problem at one of our sites this morning ... someone calling himself ENO7 TURKISH HACKER replaced the configuration.php with some html code displaying his message and a picture.

We are running joomla 1.0.10 since it was released, there was also phpBB2 component installed, but no simpleboard.

The process is currently under investigation.

Regards,

Mike


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:03 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Is anyone on your server running php-Nuke Peter? This idiot has mainly gone after php-Nuke sites. GokTurk and the sanalkabus.org attacks have been from the same origin and so far, have relied on incorrect file permissions and register_globals ON to get in.
He is usually very obliging, and tells you which files have been defaced (usually index.php and configuration.php) and doesn't touch anything else. I hope your attack is nothing more than this.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:38 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Yes, it finally is simpleboard!

We were running simpleboard, allthough all in read-only as reference for old posts (we are on SMF since 2 months now)

This is the offending entry from the log file:

Code:
Code removed for security.


I HIGHLY RECOMMEND EVERYBODY WITH SIMPLEBOARD INSTALLED TO DISABLE IT IMMEDIATELY BY RENAMING THE FOLDER /components/com_simpleboard UNTIL A FIX FOR THE PROBLEM IS FOUND. UNPUBLISHING IT WILL NOT HELP, EITHER RENAME AS ADVISED OR UNINSTALL COMPLETELY.


Last edited by Anonymous on Mon Jul 10, 2006 12:47 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:41 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1118
Location: Weymouth, UK
I saw an example with file_upload.php and not image_upload.php

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:45 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
We were made aware of the vulnerability in image_upload a day or two ago.  I have since attempted to contact the developers of SimpleBoard/JoomlaBoard but have not heard back as of yet.  They should be aware of both issues now. 

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:49 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
@Peter Koch,

Could you please PM me the relevant log.

Thankyou.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:54 pm 
User avatar
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Fri Aug 19, 2005 8:46 am
Posts: 3011
Location: Stockholm, Sweden
Does anyone know if this vulnerability also affect joomlaboard?

Thanks

_________________
Industributik - http://www.industributiken.se


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 12:57 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
I am not sure how long ago the deviation occured but to be on the safe side, I would assume that it does.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 1:03 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
Rob, I am preparing a complete log of all his activities and will PM it to you in short.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 1:42 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 05, 2005 3:50 pm
Posts: 251
To be on the safe side, I've renamed my com_joomlaboard directories, but after reviewing the SimpleBoard and the JoomlaBoard code, I believe this is a SimpleBoard only problem. Unfortunately since the exploit has been edited from the forum and I'm not one of those people "in the know" I can't say for certain.

RobS (or anyone else) - If you need an extra hand investigating this, feel free contact me. I'm on the east coast of the US so my day is just starting.

david


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 3:30 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Upon further investigation and a helpful suggestion by Elpie and Counterpoint at mamboguru.com who posted this http://forum.joomla.org/index.php/topic,75390.0.html

It seems that the problem that is facing both com_extcalender and com_simpleboard is a lack of valid component checking making it possible to call the php files for those components directly and additionally, include more PHP from a remote site into the code to execute.

I have checked Simpleboard 1.1.0 and it does have this problem however Joomlaboard 1.1.2 should NOT be affected by this problem.  You have a couple of options for dealing with this problem.  1.  Update your Simpleboard installations to Joomlaboard.  2. Manually insert the necessary code into all files installed by Simpleboard and com_ExtCalendar (Extended Calender 2) if you happen to be running that.

This code should be in all files installed by com_simpleboard and com_extcalender.  Basically, everything in /path/to/Joomla/components/com_extcalender,  /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard

Code:
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );


Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.html

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 4:26 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Jul 10, 2006 4:24 pm
Posts: 1
TITLE:
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
SimpleBoard 1.x (component for Mambo)
http://secunia.com/product/10318/

DESCRIPTION:
h4ntu has discovered a vulnerability in the SimpleBoard component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "sbp" parameter in
components/com_simpleboard/image_upload.php isn't properly verified,
before it is used to include files. This can be exploited to include
arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.1.0. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
h4ntu

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1994

Anyone can tell me where i should moderate the file?
:-[

EDIT: Topic merged


Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 4:38 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
We are aware of the problem and have addressed it in other topics on this board. 

See: http://forum.joomla.org/index.php/topic,75390.0.html
And: http://forum.joomla.org/index.php/topic,75668.0.html

EDIT: Topic merged

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 11:24 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Feb 17, 2006 4:30 pm
Posts: 218
Thanks for the update folks. Very helpful information.

I would like to know what is the effect to joomla if Global_regiser is OFF?

Need to do more research on this board I guess.

:)

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 11:28 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
None, Joomla! does not require register globals.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 11:43 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Feb 17, 2006 4:30 pm
Posts: 218
RobS wrote:
None, Joomla! does not require register globals.


thanks robs.

_________________
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 11:55 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Nov 15, 2005 4:59 pm
Posts: 25
had the same issues. the css files werent loading either. then i renamed the simpleboard folder and its fixed itself. weird.

and i thought i was the only one to be effected.


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 12:20 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10530
Location: Leeds, UK
CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 1:29 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
brian wrote:
CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2


You are pefectly right about the subscription.

However may I respectfully remark we are discussing here a new issue classified as highly critical in http://secunia.com/advisories/20981/, and not the  moderately critical issue you posted back in june.


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 1:35 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10530
Location: Leeds, UK
Maybe so but the previous warning was still ignored.

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 2:02 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
brian wrote:
Maybe so but the previous warning was still ignored.


I think it would be a wonderful new option for joomla to automaticly get a security warning when logging into the backend and one of the installed components has been detected as vulnerable. Joomla (and mambo) has all information such as component / mambot / module names and versions allready, and also all php / mysql / apache informations so nothing really stands against an implementation.

After all the latest security issues around joomla / mambo and its hundrets of add-ons there should be urgently something be done to improve security even for those ten-thousands of users that never visit a forum or ask secunia.

But I guess this is not the thread to discuss it.


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 2:03 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10530
Location: Leeds, UK
You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 2:04 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1118
Location: Weymouth, UK
brian wrote:
You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla


I already have this set up in feeddemon :-)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Tue Jul 11, 2006 2:10 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Me too - mine's called "eyes" ;)

Although, I have to say, with this latest crop of vulnerabilities I am spending some time hanging out with blackhats lately and find a quick daily check of proof of concept exploits has been very interesting.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 96 posts ]  Go to page 1, 2, 3, 4  Next



Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group