Expose Flash Gallery RC4 vulnerability
Moderator: General Support Moderators
Forum rules
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Expose Flash Gallery RC4 vulnerability
If you have Expose Flash Gallery RC4 installed:
1. Remove the file, uploadimg.php from /administrator/components/com_expose.
NOTE: NOT the uploadimage.php file.
2. Manually (via FTP or JoomlaXplorer) inspect the directory, /components/com_expose/expose/img. There shouldn't be any .php files in this directory. If there are, delete them and begin full site recovery.
1. Remove the file, uploadimg.php from /administrator/components/com_expose.
NOTE: NOT the uploadimage.php file.
2. Manually (via FTP or JoomlaXplorer) inspect the directory, /components/com_expose/expose/img. There shouldn't be any .php files in this directory. If there are, delete them and begin full site recovery.
Last edited by rliskey on Thu Jul 19, 2007 4:33 am, edited 1 time in total.
-
- Joomla! Apprentice
- Posts: 14
- Joined: Fri Apr 14, 2006 2:24 pm
Re: Expose Flash Gallery RC4 vulnerability
Many thanks for that - I got hit overnight with a hack and the only thing that's new on my site is the Expose installation. Looks like that's what's caused my problems.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Jul 19, 2007 11:30 am
Re: Expose Flash Gallery RC4 vulnerability
Addition to point no 2: I found in the img-directory a "r.php.jpg". Perhaps heavy camouflage?!
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
I will work on a patch tonight. Thanks for the update. Please watch this page for updates: http://joomlacode.org/gf/project/expose/
-
- Joomla! Apprentice
- Posts: 13
- Joined: Mon Aug 29, 2005 11:07 pm
Re: Expose Flash Gallery RC4 vulnerability
I got hit this morning also. Thanks for highlighting the vulnerable file. I also noted the following files that were created (at least for my attack):
/components/rr.php
/cc.php
/components/com_expose/img/aa.php.jpg
/index.php (modified)
Error logs located in root, /components, and /components/com_expose/img/ also indicate activity.
/components/rr.php
/cc.php
/components/com_expose/img/aa.php.jpg
/index.php (modified)
Error logs located in root, /components, and /components/com_expose/img/ also indicate activity.
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Jul 19, 2007 11:30 am
Re: Expose Flash Gallery RC4 vulnerability
Thanks for your work!
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
Hackers sucks!! I dont understand why they hack people giving away free software? Go hack microsoft....
-
- Joomla! Apprentice
- Posts: 14
- Joined: Mon Apr 09, 2007 5:25 pm
Re: Expose Flash Gallery RC4 vulnerability
I´ve been defaced twice today. So many tks for the quick response with the patch.
Tony
Tony
-
- Joomla! Apprentice
- Posts: 13
- Joined: Mon Aug 29, 2005 11:07 pm
Re: Expose Flash Gallery RC4 vulnerability
I was hacked on one site and saw evidence (a very suspicious .php file in the img directory) of a pending hack on another site.
Many thanks for the speedy response.
Many thanks for the speedy response.
- hud
- Joomla! Apprentice
- Posts: 24
- Joined: Sun Aug 21, 2005 3:21 am
- Location: Lafayette, Indiana
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
IMPORTANT! The added php files found in the image directory MAY be php shell access scripts. The hacker, in our case, simply replaced the index.php file. However, the damage could have been much worse.
In short, patching stops further hacks. But leaving these added php scripts means your entire install is vulnerable until all are removed.
With hackers becoming smarter and sites with vulnerable files to be found easily using Google ... remember to backup your Joomla sites daily.
In short, patching stops further hacks. But leaving these added php scripts means your entire install is vulnerable until all are removed.
With hackers becoming smarter and sites with vulnerable files to be found easily using Google ... remember to backup your Joomla sites daily.
Dave
One Technologies, Inc.
One Technologies, Inc.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Mon Oct 16, 2006 1:33 am
Re: Expose Flash Gallery RC4 vulnerability
Saw this too late and got hacked. Hackers do suck...it was caused by Expose...
Lee
Lee
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
The beauty of GNU/GPL
1. July 18, 2007: Vulnerability discovered at ISP and quickly reported to the actual developer.
2. July 18, 2007, 09:24:54 PM: Full disclosure of vulnerability to the community.
3. July 19, 2007, 02:35:52 PM: Developer works overnight and releases a free patch.
4. Free patch is made available worldwide on a free community forum and a free developer forge.
No...
...top-level marketing meeting to discuss damage control,
...poor fall guy chosen to absorb internal blamestorming,
...executive approval required for CYA of upwardly mobile, gutless, brown nosers before real action begins,
...FUD or delaying tactics,
...secret bug fixes added to expensive "upgrades" to be released "sometime soon."
1. July 18, 2007: Vulnerability discovered at ISP and quickly reported to the actual developer.
2. July 18, 2007, 09:24:54 PM: Full disclosure of vulnerability to the community.
3. July 19, 2007, 02:35:52 PM: Developer works overnight and releases a free patch.
4. Free patch is made available worldwide on a free community forum and a free developer forge.
No...
...top-level marketing meeting to discuss damage control,
...poor fall guy chosen to absorb internal blamestorming,
...executive approval required for CYA of upwardly mobile, gutless, brown nosers before real action begins,
...FUD or delaying tactics,
...secret bug fixes added to expensive "upgrades" to be released "sometime soon."
-
- Joomla! Apprentice
- Posts: 10
- Joined: Mon Oct 16, 2006 1:33 am
Re: Expose Flash Gallery RC4 vulnerability
Yeah, great stuff and nice work!
-
- Joomla! Apprentice
- Posts: 9
- Joined: Fri Jul 20, 2007 8:09 pm
Re: Expose Flash Gallery RC4 vulnerability
Great thanks.
No offense to the Expose guys, but who the hell codes an upload php app and allows any file to go thru? especially php?? and doesnt even check image header info.. I mean come on guys..
No offense to the Expose guys, but who the hell codes an upload php app and allows any file to go thru? especially php?? and doesnt even check image header info.. I mean come on guys..
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Dec 24, 2006 5:54 pm
- Location: Antwerp
Re: Expose Flash Gallery RC4 vulnerability
... a piece of forgotten code from a earlier Joomla release...
Since not often used (only at configuration) by expose, I recommend to remove this script (/administrator/components/com_expose/uploadimg.php), together with an old uploadimage.php until this part of the code has been reviewed.
The hack places code in the /img folder and sometimes additional files in an album folder.
Since not often used (only at configuration) by expose, I recommend to remove this script (/administrator/components/com_expose/uploadimg.php), together with an old uploadimage.php until this part of the code has been reviewed.
The hack places code in the /img folder and sometimes additional files in an album folder.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Fri Jul 20, 2007 1:07 am
Re: Expose Flash Gallery RC4 vulnerability
My site was hacked earlier this week, with another attempt today. The hackers had uploaded a cc.php file into my main web directory, allowing them to use the C99 shell, and browse freely through my server. I removed the file, and replaced the index.php. Up until now, I thought I had made everything secure and safe....
Checked my stats today, using statcounter, showed a hit to my site from Iasi Romania. The hacker was directed to my site after searching for the com_expose using the following search topic:
search.live.com/results.aspx?q=%22option%2Ccom_expose%22 site%3Acom&first=181&FORM=PORE
Unluckily for me, my site was #1.
However, this time, they uploaded 2 php files, masked as jpg files, aa,php.jpg and adx.php.jpg. After downloading from server, and renaming to aa.php and adx.php, it was made clear that this was an attempt to hack my site, again, as adx.php is a web-based file manager.
But now I'm stumped... I did not have the uploadimg.php or uploadimage.php files in my /administrator/com_expose/ folder, nor any other folder on my ftp.....
any suggestions? Maybe they deleted the files after getting into the site?
Checked my stats today, using statcounter, showed a hit to my site from Iasi Romania. The hacker was directed to my site after searching for the com_expose using the following search topic:
search.live.com/results.aspx?q=%22option%2Ccom_expose%22 site%3Acom&first=181&FORM=PORE
Unluckily for me, my site was #1.
However, this time, they uploaded 2 php files, masked as jpg files, aa,php.jpg and adx.php.jpg. After downloading from server, and renaming to aa.php and adx.php, it was made clear that this was an attempt to hack my site, again, as adx.php is a web-based file manager.
But now I'm stumped... I did not have the uploadimg.php or uploadimage.php files in my /administrator/com_expose/ folder, nor any other folder on my ftp.....
any suggestions? Maybe they deleted the files after getting into the site?
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
For now make sure you remove both the uploadimg.php and the uploadimage.php We have a full blown packae replacement going up again later tonight. I will also update the security package again tonight. Sorry for the hassle this caused anyone. Sometimes you just overlook the small things.
-
- Joomla! Apprentice
- Posts: 38
- Joined: Sun Nov 12, 2006 5:52 pm
Re: Expose Flash Gallery RC4 vulnerability
hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).
but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?
thanks - i'm not a experience web manager so i appreciate any help.
but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?
thanks - i'm not a experience web manager so i appreciate any help.
- aravot
- Joomla! Ace
- Posts: 1015
- Joined: Thu Aug 18, 2005 1:16 am
- Location: Glendale, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
I got hacked too.
Question, on same account as my expose domain I have 8 other domains hosted do you think they are effected too?
Question, on same account as my expose domain I have 8 other domains hosted do you think they are effected too?
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Jul 19, 2007 11:30 am
Re: Expose Flash Gallery RC4 vulnerability
Another domain, on which I use expoxé as well, was infected too. But fortunately the problem is solved now. I recommend immediate checkup of all domains where you use exposé.
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
The link is here http://joomlacode.org/gf/download/frsre ... 7.2007.zip it is best to always watch the root here: http://joomlacode.org/gf/project/expose/frs/ , the link changes every time I update the package. My apologies for that.axl_fugazi wrote: hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).
but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?
thanks - i'm not a experience web manager so i appreciate any help.
Last edited by doctorj on Sat Jul 21, 2007 5:00 pm, edited 1 time in total.
-
- Joomla! Intern
- Posts: 56
- Joined: Wed May 02, 2007 7:34 am
Re: Expose Flash Gallery RC4 vulnerability
i've done everthing as explained and still seems the same...
what i've done:
removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download
I've done all the above and i still can't access my site, please help me.
what i've done:
removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download
I've done all the above and i still can't access my site, please help me.
Last edited by yazeft on Mon Jul 23, 2007 2:25 pm, edited 1 time in total.
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
You might want to try to use JoomlaXplorer but chmod the main administrator/components/com_expose folder to 777 and check the box to recurse into sub-directories. Sometimes (depending on how your hosting provider configured the server) the files are upload and owned by "nobody" or "httpd" instead of your user account so you can remove them.
After you delete the files make sure you set the directory back to 755 and the files inside the folder to 644.
If this doesnt work contact your hosting provider and someone with root access can remove them for you.
After you delete the files make sure you set the directory back to 755 and the files inside the folder to 644.
If this doesnt work contact your hosting provider and someone with root access can remove them for you.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Mon Jul 23, 2007 4:36 pm
Re: Expose Flash Gallery RC4 vulnerability
I can't change the CHMOD via ftp "550 admin.expose.html.php: Operation not permitted"
I cannot connect to my site: www.wanderfreunde-edelweiss.net to use the joomlaexplorer...
I ve got a full Backup of the FTP Data - what files do I need to replace in order to get access to the site again?
I cannot connect to my site: www.wanderfreunde-edelweiss.net to use the joomlaexplorer...
I ve got a full Backup of the FTP Data - what files do I need to replace in order to get access to the site again?
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
At this point you will need to contact your hosting provider so they can delete it using root access. JoomlaXplorer only works when you have Joomla =(
Sorry for the hassle.
Sorry for the hassle.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Mon Jul 23, 2007 4:36 pm
Re: Expose Flash Gallery RC4 vulnerability
nope im lucky - I had to replace my configuration.php & index.php
For all noobs like me - the CH MOD of the configuration.php needs to be set to: 444
For all noobs like me - the CH MOD of the configuration.php needs to be set to: 444
- doctorj
- Joomla! Intern
- Posts: 87
- Joined: Sun Sep 04, 2005 4:42 am
- Location: San Francisco, CA, USA
- Contact:
Re: Expose Flash Gallery RC4 vulnerability
I would just make sure you dont have any other files (as mentioned above) laying around. If the infected file is still there you could be in a world of pain. I had this same issue with 3 other components. It sucks, but free software cant be perfect.
Let me know if you need anything.
-Josh
Let me know if you need anything.
-Josh
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Mar 13, 2007 5:43 am
Re: Expose Flash Gallery RC4 vulnerability
Hi all,
I have applied the patch, deleted the two .php files, replaced the configuration.php and index.php and now the site is showing this error.
Warning: require_once(W:/www/louise/includes/version.php) [function.require-once]: failed to open stream: No such file or directory in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71
Fatal error: require_once() [function.require]: Failed opening required 'W:/www/louise/includes/version.php' (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71
I am a bit new to this so any help would be most appreciated.
Tom
I have applied the patch, deleted the two .php files, replaced the configuration.php and index.php and now the site is showing this error.
Warning: require_once(W:/www/louise/includes/version.php) [function.require-once]: failed to open stream: No such file or directory in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71
Fatal error: require_once() [function.require]: Failed opening required 'W:/www/louise/includes/version.php' (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71
I am a bit new to this so any help would be most appreciated.
Tom
-
- Joomla! Intern
- Posts: 56
- Joined: Wed May 02, 2007 7:34 am
Re: Expose Flash Gallery RC4 vulnerability
i've done everthing as explained and still seems the same...
what i've done:
removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download
I've done all the above and i still can't access my site, please help me.
what i've done:
removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download
I've done all the above and i still can't access my site, please help me.