[UPGRADE AVAIL.] Community builder vulnerability

[nomisg]

Just an FYI that my site was hacked.

hacked by da_jackass - [email protected] - #papmahackerlink #maluku-hacker #papuahacker @ dalnet - SAVE THE WORLD WITH LOVE AND PEACE - STOP WAR!!!

I simply had to replace the index.php from a back-up. All seams ok.

For reference, from a little investigation it only seams to happen to ppl using apache and linux servers

[nomisg]

OK another update.

It actually seams to be an issue with community builder.

You will also need to restore from back-up

administrator/components/com_comprofiler/plugin.class.php

There is a known security issue from CB please see http://www.joomlapolis.com/

But they actually seam to be down as well, but they are releasing a security patch shortly

[infograf768]

Upgrade availabale: http://forge.joomla.org/sf/frs/do/viewR ... 0_1_stable

Title changed and moved to 3pd security forum

[crash777]

Okay.. so Joomlapolis recommends this setting for EVERYONE but especially for those with "weakly configured servers".
From Joomlapolis:

Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:

  1. php register_globals set to ON
  2. allow_url_fopen is ON
  3. no open base directory limitations set
  4. php code directories have write permissions from web-server process

For everyones understanding (and mine...):
1. register globals can be set via the php ini file
2. allow_url_fopen - Not sure where this setting is... anyone?
3. This is a setting in a reseller whm panel under tweak settings
4. write permissions from web-server process??

[RobS]

The first three are all PHP settings configurable in php.ini

register_globals = Off
allow_url_fopen = Off
open_basedir = /usr/local/something/like/this

The 4th is a matter of permissions.  If a file or folder is world writeable (like 666, 777) then it is writeable by the web servers user process which is a security issue but also a functionality issue.  As usual, a balancing act.  Hope that helps.

[crash777]

Thanks for the info!
I spaced it with permissions.. haha. I knew that..
(..and there are plenty of posts on how to set this..) Thanks again!

[HalJordan]

Just as a followup, someone was exploiting a vulnerability in plugin.class.php in RC2 on our site. Our host had to shut off access to our site -- http://www.thewyvernportal.com -- (on the day I was presenting it to my fellow faculty members, of course) because his servers were being flooded.
Not sure about Joomla (not familiar with that software), but the exploit
was most definitely that described in the Secunia advisory, and the exact
file being exploited was:

  /mambo/administrator/components/com_comprofiler/plugin.class.php

This morning, we had a team of our guys trying to find out what was
happening on our servers (the cpu load had skyrocketed on 4 of our
cluster servers), and it turns out about 40 processes were running
a remote UDP flood script that was downloaded and executed through
the vulnerability in that script.
The flood script was spreading "a worm that is used to launch denial
of service attacks on other sites," my host said tonight.

The secunia advisory was one for mambo 4.5.2: http://secunia.com/advisories/14337

I am not sure if it applies to Joomla 1.0.10 and CB RC2, but my host's staff says it does. I have applied the 1.0.1 update, so I hope it fixes the problem.

[infograf768]

1.0.1 and the above php settings should do it.

[RobS]

Keep in mind that allow_url_fopen = Off will break some site functionality, if you search for discussion regarding that setting you will find more detailed information about which site functionality will be broken.

[HalJordan]

It worked. No complaints from my host.

BTW, some of us do not have access to php.ini or to Apache settings. Component coders need to take these facts into consideration.

[Beat]

Just noticed this thread... 

As updated also on http://www.joomlapolis.com :

setting register_globals to OFF is *not sufficient* to put it OFF !

Joomla 1.0.10 still emulates that to ON in globals.php even when it is set to OFF in php.ini !!!

See here howto put it off for sure:

http://forum.joomla.org/index.php/topic ... w.html#new

N.b. updating to Community Builder 1.0.1 is enough to close the known vulnerability (independantly of register_globals).

[HalJordan]

How would changing this setting affect things if your host has register_globals ON? Mine uses Sun Solaris and Apache. 

[infograf768]

Although it can't replace a global setting of RegisterGlobals off for the server, it does emulate that setting for the Joomla install itself.

[Beat]

Please note that a new exploit (blind SQL injection) got published in hacker sites for CB 1.0.0 and 1.0.1, please upgrade to CB 1.0.2 at very least, and preferably to CB 1.1, as those two releases are not affected by that vulnerability. CB 1.0.2 is released since over 1 year and was a security release...

The vulnerability requires PHP magic_quotes_gpc to be OFF to succeed, and Joomla version to be below Joomla 1.0.12 to be of high level.

Best is to stay up to date with security releases...

I don't have edit rights at help.joomla.org here:
http://help.joomla.org/component/option ... temid,268/

Please could someone of the help team change "<= 1.0.0" ---> "<= 1.0.1" and "1.0.1" to "1.0.2 or 1.1" on that page ?

Thanks.