[UPGRADE AVAIL.] Community builder vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

User avatar
nomisg
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Thu Mar 23, 2006 4:09 am
Contact:

[UPGRADE AVAIL.] Community builder vulnerability

Postby nomisg » Thu Aug 10, 2006 12:23 am

Last edited by RobS on Thu Aug 10, 2006 8:13 pm, edited 1 time in total.
www.AussieBball.com Australian basketball forum and news

User avatar
nomisg
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Thu Mar 23, 2006 4:09 am
Contact:

Re: Site hacked : hacked by da_jackass

Postby nomisg » Thu Aug 10, 2006 1:05 am

OK another update.

It actually seams to be an issue with community builder.

You will also need to restore from back-up

administrator/components/com_comprofiler/plugin.class.php

There is a known security issue from CB please see http://www.joomlapolis.com/

But they actually seam to be down as well, but they are releasing a security patch shortly
www.AussieBball.com Australian basketball forum and news

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18012
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site hacked : hacked by da_jackass : community builder issue!!

Postby infograf768 » Thu Aug 10, 2006 5:58 am

Upgrade availabale: http://forge.joomla.org/sf/frs/do/viewR ... 0_1_stable

Title changed and moved to 3pd security forum
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Re: Community builder vulnerability, version 1.01 released

Postby crash777 » Thu Aug 10, 2006 9:34 am

Okay.. so Joomlapolis recommends this setting for EVERYONE but especially for those with "weakly configured servers".
From Joomlapolis:
Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:

  1. php register_globals set to ON
  2. allow_url_fopen is ON
  3. no open base directory limitations set
  4. php code directories have write permissions from web-server process

For everyones understanding (and mine...):
1. register globals can be set via the php ini file
2. allow_url_fopen - Not sure where this setting is... anyone?
3. This is a setting in a reseller whm panel under tweak settings
4. write permissions from web-server process??
Thanks!
Aaron

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Community builder vulnerability, version 1.01 released

Postby RobS » Thu Aug 10, 2006 3:40 pm

The first three are all PHP settings configurable in php.ini

register_globals = Off
allow_url_fopen = Off
open_basedir = /usr/local/something/like/this

The 4th is a matter of permissions.  If a file or folder is world writeable (like 666, 777) then it is writeable by the web servers user process which is a security issue but also a functionality issue.  As usual, a balancing act.  Hope that helps.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Re: Community builder vulnerability, version 1.01 released

Postby crash777 » Thu Aug 10, 2006 3:57 pm

Thanks for the info!
I spaced it with permissions.. haha. I knew that..
(..and there are plenty of posts on how to set this..) Thanks again!
Thanks!
Aaron

HalJordan
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Jul 23, 2006 3:27 am

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby HalJordan » Tue Aug 15, 2006 4:24 am

Just as a followup, someone was exploiting a vulnerability in plugin.class.php in RC2 on our site. Our host had to shut off access to our site -- http://www.thewyvernportal.com -- (on the day I was presenting it to my fellow faculty members, of course) because his servers were being flooded.
Not sure about Joomla (not familiar with that software), but the exploit
was most definitely that described in the Secunia advisory, and the exact
file being exploited was:

  /mambo/administrator/components/com_comprofiler/plugin.class.php

This morning, we had a team of our guys trying to find out what was
happening on our servers (the cpu load had skyrocketed on 4 of our
cluster servers), and it turns out about 40 processes were running
a remote UDP flood script that was downloaded and executed through
the vulnerability in that script.
The flood script was spreading "a worm that is used to launch denial
of service attacks on other sites," my host said tonight.

The secunia advisory was one for mambo 4.5.2: http://secunia.com/advisories/14337

I am not sure if it applies to Joomla 1.0.10 and CB RC2, but my host's staff says it does. I have applied the 1.0.1 update, so I hope it fixes the problem.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18012
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby infograf768 » Tue Aug 15, 2006 6:30 am

1.0.1 and the above php settings should do it.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby RobS » Tue Aug 15, 2006 6:36 am

Keep in mind that allow_url_fopen = Off will break some site functionality, if you search for discussion regarding that setting you will find more detailed information about which site functionality will be broken.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

HalJordan
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Jul 23, 2006 3:27 am

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby HalJordan » Tue Aug 15, 2006 2:45 pm

It worked. No complaints from my host.

BTW, some of us do not have access to php.ini or to Apache settings. Component coders need to take these facts into consideration.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 836
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby Beat » Wed Aug 16, 2006 11:09 pm

Just noticed this thread...  ;)

As updated also on http://www.joomlapolis.com :

setting register_globals to OFF is *not sufficient* to put it OFF ! :(

Joomla 1.0.10 still emulates that to ON in globals.php even when it is set to OFF in php.ini !!!

See here howto put it off for sure:

http://forum.joomla.org/index.php/topic ... w.html#new

N.b. updating to Community Builder 1.0.1 is enough to close the known vulnerability (independantly of register_globals).
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

HalJordan
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Jul 23, 2006 3:27 am

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby HalJordan » Thu Aug 17, 2006 2:08 am

How would changing this setting affect things if your host has register_globals ON? Mine uses Sun Solaris and Apache. 

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18012
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby infograf768 » Thu Aug 17, 2006 6:08 am

Although it can't replace a global setting of RegisterGlobals off for the server, it does emulate that setting for the Joomla install itself.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 836
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: [UPGRADE AVAIL.] Community builder vulnerability

Postby Beat » Fri May 02, 2008 2:54 pm

Please note that a new exploit (blind SQL injection) got published in hacker sites for CB 1.0.0 and 1.0.1, please upgrade to CB 1.0.2 at very least, and preferably to CB 1.1, as those two releases are not affected by that vulnerability. CB 1.0.2 is released since over 1 year and was a security release...

The vulnerability requires PHP magic_quotes_gpc to be OFF to succeed, and Joomla version to be below Joomla 1.0.12 to be of high level.

Best is to stay up to date with security releases...

I don't have edit rights at help.joomla.org here:
http://help.joomla.org/component/option ... temid,268/

Please could someone of the help team change "<= 1.0.0" ---> "<= 1.0.1" and "1.0.1" to "1.0.2 or 1.1" on that page ?

Thanks.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 2 guests