Expose Flash Gallery RC4 vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Expose Flash Gallery RC4 vulnerability

Post by rliskey » Thu Jul 19, 2007 4:24 am

If you have Expose Flash Gallery RC4 installed:

1. Remove the file, uploadimg.php from /administrator/components/com_expose.

NOTE: NOT the uploadimage.php file.

2. Manually (via FTP or JoomlaXplorer) inspect the directory, /components/com_expose/expose/img. There shouldn't be any .php files in this directory. If there are, delete them and begin full site recovery.
Last edited by rliskey on Thu Jul 19, 2007 4:33 am, edited 1 time in total.

devilman
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Fri Apr 14, 2006 2:24 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by devilman » Thu Jul 19, 2007 9:50 am

Many thanks for that - I got hit overnight with a hack and the only thing that's new on my site is the Expose installation.  Looks like that's what's caused my problems.

JoomlaJasper
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Jul 19, 2007 11:30 am

Re: Expose Flash Gallery RC4 vulnerability

Post by JoomlaJasper » Thu Jul 19, 2007 11:35 am

Addition to point no 2: I found in the img-directory a "r.php.jpg". Perhaps heavy camouflage?!

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Thu Jul 19, 2007 5:16 pm

I will work on a patch tonight. Thanks for the update. Please watch this page for updates: http://joomlacode.org/gf/project/expose/
Until Next Time,

Josh
http://www.gotgtek.net

stephenvb
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Mon Aug 29, 2005 11:07 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by stephenvb » Thu Jul 19, 2007 7:06 pm

I got hit this morning also.  Thanks for highlighting the vulnerable file.  I also noted the following files that were created (at least for my attack):

/components/rr.php
/cc.php
/components/com_expose/img/aa.php.jpg
/index.php (modified)

Error logs located in root, /components, and /components/com_expose/img/ also indicate activity.

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Thu Jul 19, 2007 9:35 pm

Until Next Time,

Josh
http://www.gotgtek.net

JoomlaJasper
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Jul 19, 2007 11:30 am

Re: Expose Flash Gallery RC4 vulnerability

Post by JoomlaJasper » Thu Jul 19, 2007 9:41 pm

Thanks for your work!

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Thu Jul 19, 2007 9:43 pm

Hackers sucks!! >:(  I dont understand why they hack people giving away free software? Go hack microsoft.... ???
Until Next Time,

Josh
http://www.gotgtek.net

member1000
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Mon Apr 09, 2007 5:25 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by member1000 » Thu Jul 19, 2007 10:06 pm

I´ve been defaced twice today. So many tks for the quick response with the patch.
Tony

stephenvb
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Mon Aug 29, 2005 11:07 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by stephenvb » Thu Jul 19, 2007 11:24 pm

I was hacked on one site and saw evidence (a very suspicious .php file in the img directory) of a pending hack on another site.

Many thanks for the speedy response. 

User avatar
hud
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Aug 21, 2005 3:21 am
Location: Lafayette, Indiana
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by hud » Fri Jul 20, 2007 12:36 am

IMPORTANT!  The added php files found in the image directory MAY be php shell access scripts.   The hacker, in our case, simply replaced the index.php file.  However, the damage could have been much worse.

In short, patching stops further hacks.  But leaving these added php scripts means your entire install is vulnerable until all are removed.

With hackers becoming smarter and sites with vulnerable files to be found easily using Google ... remember to backup your Joomla sites daily.
Dave
One Technologies, Inc.

millsdo
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Oct 16, 2006 1:33 am

Re: Expose Flash Gallery RC4 vulnerability

Post by millsdo » Fri Jul 20, 2007 1:02 am

Saw this too late and got hacked. Hackers do suck...it was caused by Expose...

Lee

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by rliskey » Fri Jul 20, 2007 6:05 pm

The beauty of GNU/GPL :pop

1. July 18, 2007: Vulnerability discovered at ISP and quickly reported to the actual developer.

2. July 18, 2007, 09:24:54 PM: Full disclosure of vulnerability to the community.

3. July 19, 2007, 02:35:52 PM: Developer works overnight and releases a free patch.

4. Free patch is made available worldwide on a free community forum and a free developer forge.

No...
  ...top-level marketing meeting to discuss damage control,
  ...poor fall guy chosen to absorb internal blamestorming,
  ...executive approval required for CYA of upwardly mobile, gutless, brown nosers before real action begins,
  ...FUD or delaying tactics,
  ...secret bug fixes added to expensive "upgrades" to be released "sometime soon."

millsdo
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Oct 16, 2006 1:33 am

Re: Expose Flash Gallery RC4 vulnerability

Post by millsdo » Fri Jul 20, 2007 6:17 pm

Yeah, great stuff and nice work!

hlcno
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jul 20, 2007 8:09 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by hlcno » Fri Jul 20, 2007 8:10 pm

Great thanks.

No offense to the Expose guys, but who the hell codes an upload php app and allows any file to go thru? especially php?? and doesnt even check image header info.. I mean come on guys..

Tokapi
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Sun Dec 24, 2006 5:54 pm
Location: Antwerp

Re: Expose Flash Gallery RC4 vulnerability

Post by Tokapi » Fri Jul 20, 2007 9:45 pm

... a piece of forgotten code from a earlier Joomla release...
Since not often used (only at configuration) by expose, I recommend to remove this script (/administrator/components/com_expose/uploadimg.php), together with an old uploadimage.php until this part of the code has been reviewed.

The hack places code in the /img folder and sometimes additional files in an album folder.

saj3n
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jul 20, 2007 1:07 am

Re: Expose Flash Gallery RC4 vulnerability

Post by saj3n » Fri Jul 20, 2007 11:53 pm

My site was hacked earlier this week, with another attempt today. The hackers had uploaded a cc.php file into my main web directory, allowing them to use the C99 shell, and browse freely through my server. I removed the file, and replaced the index.php. Up until now, I thought I had made everything secure and safe....

Checked my stats today, using statcounter, showed a hit to my site from Iasi Romania. The hacker was directed to my site after searching for the com_expose using the following search topic:

search.live.com/results.aspx?q=%22option%2Ccom_expose%22 site%3Acom&first=181&FORM=PORE

Unluckily for me, my site was #1.

However, this time, they uploaded 2 php files, masked as jpg files, aa,php.jpg and adx.php.jpg. After downloading from server, and renaming to aa.php and adx.php, it was made clear that this was an attempt to hack my site, again, as adx.php is a web-based file manager.

But now I'm stumped... I did not have the uploadimg.php or uploadimage.php files in my /administrator/com_expose/ folder, nor any other folder on my ftp.....

any suggestions? Maybe they deleted the files after getting into the site?

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Sat Jul 21, 2007 4:37 am

For now make sure you remove both the uploadimg.php and the uploadimage.php We have a full blown packae replacement going up again later tonight. I will also update the security package again tonight. Sorry for the hassle this caused anyone. Sometimes you just overlook the small things.  :(
Until Next Time,

Josh
http://www.gotgtek.net

axl_fugazi
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Sun Nov 12, 2006 5:52 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by axl_fugazi » Sat Jul 21, 2007 4:53 am

hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).

but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?

thanks - i'm not a experience web manager so i appreciate any help.

User avatar
aravot
Joomla! Ace
Joomla! Ace
Posts: 1015
Joined: Thu Aug 18, 2005 1:16 am
Location: Glendale, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by aravot » Sat Jul 21, 2007 6:42 am

I got hacked too.

Question, on same account as my expose domain I have 8 other domains hosted do you think they are effected too?

JoomlaJasper
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Jul 19, 2007 11:30 am

Re: Expose Flash Gallery RC4 vulnerability

Post by JoomlaJasper » Sat Jul 21, 2007 11:25 am

Another domain, on which I use expoxé as well, was infected too. But fortunately the problem is solved now. I recommend immediate checkup of all domains where you use exposé.

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Sat Jul 21, 2007 4:52 pm

axl_fugazi wrote: hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).

but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?

thanks - i'm not a experience web manager so i appreciate any help.
The link is here http://joomlacode.org/gf/download/frsre ... 7.2007.zip it is best to always watch the root here: http://joomlacode.org/gf/project/expose/frs/  , the link changes every time I update the package. My apologies for that.
Last edited by doctorj on Sat Jul 21, 2007 5:00 pm, edited 1 time in total.
Until Next Time,

Josh
http://www.gotgtek.net

yazeft
Joomla! Intern
Joomla! Intern
Posts: 56
Joined: Wed May 02, 2007 7:34 am

Re: Expose Flash Gallery RC4 vulnerability

Post by yazeft » Mon Jul 23, 2007 12:50 pm

i've done everthing as explained and still seems the same...


what i've done:

removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download


I've done all the above and i still can't access my site, please help me.
Last edited by yazeft on Mon Jul 23, 2007 2:25 pm, edited 1 time in total.

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Mon Jul 23, 2007 4:28 pm

You might want to try to use JoomlaXplorer but chmod the main administrator/components/com_expose folder to 777 and check the box to recurse into sub-directories. Sometimes (depending on how your hosting provider configured the server) the files are upload and owned by "nobody" or "httpd" instead of your user account so you can remove them.

After you delete the files make sure you set the directory back to 755 and the files inside the folder to 644.

If this doesnt work contact your hosting provider and someone with root access can remove them for you.
Until Next Time,

Josh
http://www.gotgtek.net

Neorun
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 23, 2007 4:36 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by Neorun » Mon Jul 23, 2007 4:41 pm

I can't change the CHMOD via ftp "550 admin.expose.html.php: Operation not permitted"
I cannot connect to my site: www.wanderfreunde-edelweiss.net to use the joomlaexplorer...

I ve got a full Backup of the FTP Data - what files do I need to replace in order to get access to the site again?

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Mon Jul 23, 2007 4:43 pm

At this point you will need to contact your hosting provider so they can delete it using root access. JoomlaXplorer only works when you have Joomla =(

Sorry for the hassle.
Until Next Time,

Josh
http://www.gotgtek.net

Neorun
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 23, 2007 4:36 pm

Re: Expose Flash Gallery RC4 vulnerability

Post by Neorun » Mon Jul 23, 2007 4:46 pm

nope im lucky - I had to replace my configuration.php & index.php

For all noobs like me - the CH MOD of the configuration.php needs to be set to: 444

User avatar
doctorj
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sun Sep 04, 2005 4:42 am
Location: San Francisco, CA, USA
Contact:

Re: Expose Flash Gallery RC4 vulnerability

Post by doctorj » Mon Jul 23, 2007 5:00 pm

I would just make sure you dont have any other files (as mentioned above) laying around. If the infected file is still there you could be in a world of pain. I had this same issue with 3 other components. It sucks, but free software cant be perfect.

Let me know if you need anything.

-Josh
Until Next Time,

Josh
http://www.gotgtek.net

tomhay
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Mar 13, 2007 5:43 am

Re: Expose Flash Gallery RC4 vulnerability

Post by tomhay » Tue Jul 24, 2007 12:10 am

Hi all,
I have applied the patch, deleted the two .php files, replaced the configuration.php and index.php and now the site is showing this error.

Warning: require_once(W:/www/louise/includes/version.php) [function.require-once]: failed to open stream: No such file or directory in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71

Fatal error: require_once() [function.require]: Failed opening required 'W:/www/louise/includes/version.php' (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71

I am a bit new to this so any help would be most appreciated.

Tom

yazeft
Joomla! Intern
Joomla! Intern
Posts: 56
Joined: Wed May 02, 2007 7:34 am

Re: Expose Flash Gallery RC4 vulnerability

Post by yazeft » Tue Jul 24, 2007 12:21 am

i've done everthing as explained and still seems the same...


what i've done:

removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download


I've done all the above and i still can't access my site, please help me.


Locked

Return to “3rd Party/Non Joomla! Security Issues”