[UPGRADE AVAIL.] Community builder vulnerability
Moderator: General Support Moderators
Forum rules
-
- Joomla! Apprentice
- Posts: 36
- Joined: Thu Mar 23, 2006 4:09 am
- Contact:
[UPGRADE AVAIL.] Community builder vulnerability
Just an FYI that my site was hacked.
hacked by da_jackass - [email protected] - #papmahackerlink #maluku-hacker #papuahacker @ dalnet - SAVE THE WORLD WITH LOVE AND PEACE - STOP WAR!!!
I simply had to replace the index.php from a back-up. All seams ok.
For reference, from a little investigation it only seams to happen to ppl using apache and linux servers
hacked by da_jackass - [email protected] - #papmahackerlink #maluku-hacker #papuahacker @ dalnet - SAVE THE WORLD WITH LOVE AND PEACE - STOP WAR!!!
I simply had to replace the index.php from a back-up. All seams ok.
For reference, from a little investigation it only seams to happen to ppl using apache and linux servers
Last edited by RobS on Thu Aug 10, 2006 8:13 pm, edited 1 time in total.
www.AussieBball.com Australian basketball forum and news
-
- Joomla! Apprentice
- Posts: 36
- Joined: Thu Mar 23, 2006 4:09 am
- Contact:
Re: Site hacked : hacked by da_jackass
OK another update.
It actually seams to be an issue with community builder.
You will also need to restore from back-up
administrator/components/com_comprofiler/plugin.class.php
There is a known security issue from CB please see http://www.joomlapolis.com/
But they actually seam to be down as well, but they are releasing a security patch shortly
It actually seams to be an issue with community builder.
You will also need to restore from back-up
administrator/components/com_comprofiler/plugin.class.php
There is a known security issue from CB please see http://www.joomlapolis.com/
But they actually seam to be down as well, but they are releasing a security patch shortly
www.AussieBball.com Australian basketball forum and news
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site hacked : hacked by da_jackass : community builder issue!!
Upgrade availabale: http://forge.joomla.org/sf/frs/do/viewR ... 0_1_stable
Title changed and moved to 3pd security forum
Title changed and moved to 3pd security forum
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- crash777
- Joomla! Explorer
- Posts: 334
- Joined: Sat Sep 03, 2005 1:56 am
- Location: Upstate New York
Re: Community builder vulnerability, version 1.01 released
Okay.. so Joomlapolis recommends this setting for EVERYONE but especially for those with "weakly configured servers".
From Joomlapolis:
1. register globals can be set via the php ini file
2. allow_url_fopen - Not sure where this setting is... anyone?
3. This is a setting in a reseller whm panel under tweak settings
4. write permissions from web-server process??
From Joomlapolis:
For everyones understanding (and mine...):Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:
1. php register_globals set to ON
2. allow_url_fopen is ON
3. no open base directory limitations set
4. php code directories have write permissions from web-server process
1. register globals can be set via the php ini file
2. allow_url_fopen - Not sure where this setting is... anyone?
3. This is a setting in a reseller whm panel under tweak settings
4. write permissions from web-server process??
Thanks!
Aaron
Aaron
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Community builder vulnerability, version 1.01 released
The first three are all PHP settings configurable in php.ini
register_globals = Off
allow_url_fopen = Off
open_basedir = /usr/local/something/like/this
The 4th is a matter of permissions. If a file or folder is world writeable (like 666, 777) then it is writeable by the web servers user process which is a security issue but also a functionality issue. As usual, a balancing act. Hope that helps.
register_globals = Off
allow_url_fopen = Off
open_basedir = /usr/local/something/like/this
The 4th is a matter of permissions. If a file or folder is world writeable (like 666, 777) then it is writeable by the web servers user process which is a security issue but also a functionality issue. As usual, a balancing act. Hope that helps.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- crash777
- Joomla! Explorer
- Posts: 334
- Joined: Sat Sep 03, 2005 1:56 am
- Location: Upstate New York
Re: Community builder vulnerability, version 1.01 released
Thanks for the info!
I spaced it with permissions.. haha. I knew that..
(..and there are plenty of posts on how to set this..) Thanks again!
I spaced it with permissions.. haha. I knew that..
(..and there are plenty of posts on how to set this..) Thanks again!
Thanks!
Aaron
Aaron
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sun Jul 23, 2006 3:27 am
Re: [UPGRADE AVAIL.] Community builder vulnerability
Just as a followup, someone was exploiting a vulnerability in plugin.class.php in RC2 on our site. Our host had to shut off access to our site -- http://www.thewyvernportal.com -- (on the day I was presenting it to my fellow faculty members, of course) because his servers were being flooded.
Not sure about Joomla (not familiar with that software), but the exploit
was most definitely that described in the Secunia advisory, and the exact
file being exploited was:
/mambo/administrator/components/com_comprofiler/plugin.class.php
This morning, we had a team of our guys trying to find out what was
happening on our servers (the cpu load had skyrocketed on 4 of our
cluster servers), and it turns out about 40 processes were running
a remote UDP flood script that was downloaded and executed through
the vulnerability in that script.
The flood script was spreading "a worm that is used to launch denial
of service attacks on other sites," my host said tonight.
The secunia advisory was one for mambo 4.5.2: http://secunia.com/advisories/14337
I am not sure if it applies to Joomla 1.0.10 and CB RC2, but my host's staff says it does. I have applied the 1.0.1 update, so I hope it fixes the problem.
Not sure about Joomla (not familiar with that software), but the exploit
was most definitely that described in the Secunia advisory, and the exact
file being exploited was:
/mambo/administrator/components/com_comprofiler/plugin.class.php
This morning, we had a team of our guys trying to find out what was
happening on our servers (the cpu load had skyrocketed on 4 of our
cluster servers), and it turns out about 40 processes were running
a remote UDP flood script that was downloaded and executed through
the vulnerability in that script.
The flood script was spreading "a worm that is used to launch denial
of service attacks on other sites," my host said tonight.
The secunia advisory was one for mambo 4.5.2: http://secunia.com/advisories/14337
I am not sure if it applies to Joomla 1.0.10 and CB RC2, but my host's staff says it does. I have applied the 1.0.1 update, so I hope it fixes the problem.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: [UPGRADE AVAIL.] Community builder vulnerability
1.0.1 and the above php settings should do it.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: [UPGRADE AVAIL.] Community builder vulnerability
Keep in mind that allow_url_fopen = Off will break some site functionality, if you search for discussion regarding that setting you will find more detailed information about which site functionality will be broken.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sun Jul 23, 2006 3:27 am
Re: [UPGRADE AVAIL.] Community builder vulnerability
It worked. No complaints from my host.
BTW, some of us do not have access to php.ini or to Apache settings. Component coders need to take these facts into consideration.
BTW, some of us do not have access to php.ini or to Apache settings. Component coders need to take these facts into consideration.
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: [UPGRADE AVAIL.] Community builder vulnerability
Just noticed this thread...
As updated also on http://www.joomlapolis.com :
setting register_globals to OFF is *not sufficient* to put it OFF !
Joomla 1.0.10 still emulates that to ON in globals.php even when it is set to OFF in php.ini !!!
See here howto put it off for sure:
http://forum.joomla.org/index.php/topic ... w.html#new
N.b. updating to Community Builder 1.0.1 is enough to close the known vulnerability (independantly of register_globals).
As updated also on http://www.joomlapolis.com :
setting register_globals to OFF is *not sufficient* to put it OFF !
Joomla 1.0.10 still emulates that to ON in globals.php even when it is set to OFF in php.ini !!!
See here howto put it off for sure:
http://forum.joomla.org/index.php/topic ... w.html#new
N.b. updating to Community Builder 1.0.1 is enough to close the known vulnerability (independantly of register_globals).
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sun Jul 23, 2006 3:27 am
Re: [UPGRADE AVAIL.] Community builder vulnerability
How would changing this setting affect things if your host has register_globals ON? Mine uses Sun Solaris and Apache.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: [UPGRADE AVAIL.] Community builder vulnerability
Although it can't replace a global setting of RegisterGlobals off for the server, it does emulate that setting for the Joomla install itself.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: [UPGRADE AVAIL.] Community builder vulnerability
Please note that a new exploit (blind SQL injection) got published in hacker sites for CB 1.0.0 and 1.0.1, please upgrade to CB 1.0.2 at very least, and preferably to CB 1.1, as those two releases are not affected by that vulnerability. CB 1.0.2 is released since over 1 year and was a security release...
The vulnerability requires PHP magic_quotes_gpc to be OFF to succeed, and Joomla version to be below Joomla 1.0.12 to be of high level.
Best is to stay up to date with security releases...
I don't have edit rights at help.joomla.org here:
http://help.joomla.org/component/option ... temid,268/
Please could someone of the help team change "<= 1.0.0" ---> "<= 1.0.1" and "1.0.1" to "1.0.2 or 1.1" on that page ?
Thanks.
The vulnerability requires PHP magic_quotes_gpc to be OFF to succeed, and Joomla version to be below Joomla 1.0.12 to be of high level.
Best is to stay up to date with security releases...
I don't have edit rights at help.joomla.org here:
http://help.joomla.org/component/option ... temid,268/
Please could someone of the help team change "<= 1.0.0" ---> "<= 1.0.1" and "1.0.1" to "1.0.2 or 1.1" on that page ?
Thanks.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team