[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD

Postby Peter Koch » Mon Jul 10, 2006 11:17 am

The FacileForms site today also got defaced by somebody calling himself GokTurk, he replaced configuration.php.

We are running joomla 1.0.10. We were before running mambo 4.5.2 and never had any such problem.

From the server logs it could also be a vulnerability in com_docman instead of Joomla itself, but this is yet unconfirmed.

The offending IP was 85.108.211.155, belonging to TurkTelecom. All IP's of TurkTelecom have been locked out from the FacileForms for security, and I highly recommend every Joomla user to do the same until this security hole is fixed. Also make sure your configuration.php is write protected (chmod 444)
Last edited by RobS on Wed Jul 19, 2006 5:01 am, edited 1 time in total.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 11:27 am

It would be extremely helpful if you could send me a copy of the relevant log information by PM or contact me by PM and I will give you my email address.  I have seen a couple of reports of an issue but have not seen any logs or indication as to what they are actually doing. 

Thanks
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1122
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby PhilTaylor-Prazgod » Mon Jul 10, 2006 11:29 am

I personally helped someone yesterday who had Joomla 1.0.10 and got hacked - but it was a SimpleBoard hack and not a joomla hack
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame IT Ltd.
-- https://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- https://www.phil-taylor.com/

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11305
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby brian » Mon Jul 10, 2006 11:30 am

Yes well I posted a known vulnerability announcement in this forum about simpleboard sometime ago.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Peter Koch » Mon Jul 10, 2006 11:41 am

I cannot exclude simpleboard at this time, but I'm still anayzing the logs.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 11:48 am

Correct, there have also been reports of another vulnerability in Simpleboard that we are investigating.  From what I understand, Simpleboard isn't maintained for Joomla anymore and was replaced by an offshoot Joomlaboard.  I have tried to go to the Simpleboard maintainer's website but it is having issues.  
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Mike G.
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jul 10, 2006 11:57 am

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Mike G. » Mon Jul 10, 2006 12:02 pm

Same problem at one of our sites this morning ... someone calling himself ENO7 TURKISH HACKER replaced the configuration.php with some html code displaying his message and a picture.

We are running joomla 1.0.10 since it was released, there was also phpBB2 component installed, but no simpleboard.

The process is currently under investigation.

Regards,

Mike

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Elpie » Mon Jul 10, 2006 12:03 pm

Is anyone on your server running php-Nuke Peter? This idiot has mainly gone after php-Nuke sites. GokTurk and the sanalkabus.org attacks have been from the same origin and so far, have relied on incorrect file permissions and register_globals ON to get in.
He is usually very obliging, and tells you which files have been defaced (usually index.php and configuration.php) and doesn't touch anything else. I hope your attack is nothing more than this.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Peter Koch » Mon Jul 10, 2006 12:38 pm

Yes, it finally is simpleboard!

We were running simpleboard, allthough all in read-only as reference for old posts (we are on SMF since 2 months now)

This is the offending entry from the log file:

Code: Select all

Code removed for security.


I HIGHLY RECOMMEND EVERYBODY WITH SIMPLEBOARD INSTALLED TO DISABLE IT IMMEDIATELY BY RENAMING THE FOLDER /components/com_simpleboard UNTIL A FIX FOR THE PROBLEM IS FOUND. UNPUBLISHING IT WILL NOT HELP, EITHER RENAME AS ADVISED OR UNINSTALL COMPLETELY.
Last edited by Anonymous on Mon Jul 10, 2006 12:47 pm, edited 1 time in total.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1122
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby PhilTaylor-Prazgod » Mon Jul 10, 2006 12:41 pm

I saw an example with file_upload.php and not image_upload.php
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame IT Ltd.
-- https://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- https://www.phil-taylor.com/

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 12:45 pm

We were made aware of the vulnerability in image_upload a day or two ago.  I have since attempted to contact the developers of SimpleBoard/JoomlaBoard but have not heard back as of yet.  They should be aware of both issues now. 
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 12:49 pm

@Peter Koch,

Could you please PM me the relevant log.

Thankyou.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
LorenzoG
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3011
Joined: Fri Aug 19, 2005 8:46 am
Location: Stockholm, Sweden
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby LorenzoG » Mon Jul 10, 2006 12:54 pm

Does anyone know if this vulnerability also affect joomlaboard?

Thanks

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 12:57 pm

I am not sure how long ago the deviation occured but to be on the safe side, I would assume that it does.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Peter Koch » Mon Jul 10, 2006 1:03 pm

Rob, I am preparing a complete log of all his activities and will PM it to you in short.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby davidrrm » Mon Jul 10, 2006 1:42 pm

To be on the safe side, I've renamed my com_joomlaboard directories, but after reviewing the SimpleBoard and the JoomlaBoard code, I believe this is a SimpleBoard only problem. Unfortunately since the exploit has been edited from the forum and I'm not one of those people "in the know" I can't say for certain.

RobS (or anyone else) - If you need an extra hand investigating this, feel free contact me. I'm on the east coast of the US so my day is just starting.

david

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 3:30 pm

Upon further investigation and a helpful suggestion by Elpie and Counterpoint at mamboguru.com who posted this http://forum.joomla.org/index.php/topic,75390.0.html

It seems that the problem that is facing both com_extcalender and com_simpleboard is a lack of valid component checking making it possible to call the php files for those components directly and additionally, include more PHP from a remote site into the code to execute.

I have checked Simpleboard 1.1.0 and it does have this problem however Joomlaboard 1.1.2 should NOT be affected by this problem.  You have a couple of options for dealing with this problem.  1.  Update your Simpleboard installations to Joomlaboard.  2. Manually insert the necessary code into all files installed by Simpleboard and com_ExtCalendar (Extended Calender 2) if you happen to be running that.

This code should be in all files installed by com_simpleboard and com_extcalender.  Basically, everything in /path/to/Joomla/components/com_extcalender,  /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard

Code: Select all

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );


Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.html
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

xirito
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Jul 10, 2006 4:24 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby xirito » Mon Jul 10, 2006 4:26 pm

TITLE:
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
SimpleBoard 1.x (component for Mambo)
http://secunia.com/product/10318/

DESCRIPTION:
h4ntu has discovered a vulnerability in the SimpleBoard component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "sbp" parameter in
components/com_simpleboard/image_upload.php isn't properly verified,
before it is used to include files. This can be exploited to include
arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.1.0. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
h4ntu

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1994

Anyone can tell me where i should moderate the file?
:-[

EDIT: Topic merged
Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Mon Jul 10, 2006 4:38 pm

We are aware of the problem and have addressed it in other topics on this board. 

See: http://forum.joomla.org/index.php/topic,75390.0.html
And: http://forum.joomla.org/index.php/topic,75668.0.html

EDIT: Topic merged
Last edited by infograf768 on Mon Jul 10, 2006 4:55 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

thewatcher
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 218
Joined: Fri Feb 17, 2006 4:30 pm
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby thewatcher » Tue Jul 11, 2006 11:24 am

Thanks for the update folks. Very helpful information.

I would like to know what is the effect to joomla if Global_regiser is OFF?

Need to do more research on this board I guess.

:)
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby RobS » Tue Jul 11, 2006 11:28 am

None, Joomla! does not require register globals.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

thewatcher
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 218
Joined: Fri Feb 17, 2006 4:30 pm
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby thewatcher » Tue Jul 11, 2006 11:43 am

RobS wrote:None, Joomla! does not require register globals.


thanks robs.
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6

Social Spider
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Tue Nov 15, 2005 4:59 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Social Spider » Tue Jul 11, 2006 11:55 am

had the same issues. the css files werent loading either. then i renamed the simpleboard folder and its fixed itself. weird.

and i thought i was the only one to be effected.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11305
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby brian » Tue Jul 11, 2006 12:20 pm

CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Peter Koch » Tue Jul 11, 2006 1:29 pm

brian wrote:CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2


You are pefectly right about the subscription.

However may I respectfully remark we are discussing here a new issue classified as highly critical in http://secunia.com/advisories/20981/, and not the  moderately critical issue you posted back in june.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11305
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby brian » Tue Jul 11, 2006 1:35 pm

Maybe so but the previous warning was still ignored.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Peter Koch » Tue Jul 11, 2006 2:02 pm

brian wrote:Maybe so but the previous warning was still ignored.


I think it would be a wonderful new option for joomla to automaticly get a security warning when logging into the backend and one of the installed components has been detected as vulnerable. Joomla (and mambo) has all information such as component / mambot / module names and versions allready, and also all php / mysql / apache informations so nothing really stands against an implementation.

After all the latest security issues around joomla / mambo and its hundrets of add-ons there should be urgently something be done to improve security even for those ten-thousands of users that never visit a forum or ask secunia.

But I guess this is not the thread to discuss it.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11305
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby brian » Tue Jul 11, 2006 2:03 pm

You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1122
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby PhilTaylor-Prazgod » Tue Jul 11, 2006 2:04 pm

brian wrote:You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla


I already have this set up in feeddemon :-)
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame IT Ltd.
-- https://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- https://www.phil-taylor.com/

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: WARNING: Vulnerability in SIMPLEBOARD

Postby Elpie » Tue Jul 11, 2006 2:10 pm

Me too - mine's called "eyes" ;)

Although, I have to say, with this latest crop of vulnerabilities I am spending some time hanging out with blackhats lately and find a quick daily check of proof of concept exploits has been very interesting.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 1 guest