Website with Joombah Jobs Hacked

[robertsm]

I am running a Joombah site (not listed as a vulnerable extension: http://docs.joomla.org/Vulnerable_Extensions_List) that was recently hacked. The hacker registered as a job seeker, then proceeded to upload files using the resumé upload feature. In my case the hacker uploaded a PHP script, using a JPG extension for the script, that he was then able to exploit using the PHP interpreter. My host has informed me that this is possible using other file extensions as well (.doc, .docx, etc), depending on how rewrite is implemented in htaccess (the htaccess file that was in place at time of attack is attached).

Edit: The hacker did upload a php script with a JPG extension, but that is not the complete story of how he did the hack. For security reasons, I am not going to post more about the actual exploit.

It appears that the hacker was then able to upload a separate PHP script that he used to send out spam.

I was running Joombah 1.3.3 and, admittedly, Joomla 2.5.4 (which I have since updated to 2.5.8). I have PM'd the Admin of the Joombah forums (approx 15 hours ago) and posted on their forums but still have not received a response.

Site hacked by uploading PHP script disguised as JPG or possibly DOC/DOCX file

Site taken offiline.
Upgraded Joomla from 2.5.4 to 2.5.8
Contacted (and still awaiting response) Joombah RE the hack

Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180

PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |

Elevated Permissions (First 10) :: --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) |

Strict Information Privacy was selected. Nothing to display.

_FPA_STRICT Information Privacy Nothing to display.

Additional log information below (with hacker's IP and my domain obfuscated)

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:58:50 -0400] "POST /jobs/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 14 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:59:34 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:47 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:56 -0400] "POST /jobs/component/jbjobs/jobseeker/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 69 "http://www.website.org/jobs/component/jbjobs/jobseeker/regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:29 -0400] "POST /jobs/component/users/?task=user.login HTTP/1.1" 303 5 "http://www.website.org/jobs/component/users/?view=login" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:59 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/regjobseeker" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:28 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:43 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:34:28 -0400] "POST /jobs/images/jbjobs/pf/p_259_1351908403.php HTTP/1.1" 200 358 "http://www.website.org/jobs/images/jbjobs/pf/p_259_1351908403.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

MODS: I have a copy of the fake JPG file/PHP Script. If you would like I can PM the contents of it to you.

Any help/advice on where to go next to button this issue down would be greatly appreciated.

[robertsm]

Not sure if it matters (for use with extensions), but "Check MIME Types" is enabled in the media manager.

[mandville]

looking at your fpa results (please repost with extensions viewable) i was concerned over the use of the 775 folders - why?
the extension is two versions behind, assuming you are using the proper un nulled version.
the dev may need to include a htaccess similar to checklist 7 that prevents scripts running in folders

[robertsm]

mandville - thank you for the reply. I really appreciate the help. I've created a new directory to work on an upgrade of this extension and I have run an FPA on the latest release. I will post that in the next response.
Here's an FPA without restrictions (only my domain changed).

Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180

PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |

Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.3) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.2) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.2) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.2) | JoomBah Latest Jobs Mini (1.3.2) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.2) | mod_stats (2.5.0) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.2) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.2) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.2) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.2) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.2) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.2) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.2) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6b) | Azrul System Mambot For Joomla (3.3) |

Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |

[robertsm]

Here is an FPA, running the latest release of JoomBah Jobs 1.3.5 RC...

Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 6.00 MiB | #of Tables:  180

PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |

Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.5 RC) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.5) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.5) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.5) | JoomBah Latest Jobs Mini (1.3.5) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.5) | mod_stats (2.5.0) | JoomBah Jobs Top Employer (1.3.5) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.5) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.5) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.5) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.5) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.5) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.5) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.5) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6a) | Azrul System Mambot For Joomla (3.3) |

Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |

[robertsm]

Update regarding Joombah Version: 1.3.5 RC (and v 1.3.3)
No MIME Type check seems to be occurring. I was able to upload a PHP script with both a .doc & .jpg file extension without any difficulty using the Joombah Resumé upload feature.

[mandville]

I would sugest that you add a htaccess file to the upload directory
with the following code
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

if you contunue to use the script, email your findings to vel@ joomla.org minus space

[robertsm]

mandville,

I have implemented the htaccess file.

I have also been contacted by the software devs & I am working with them to sort this out. I will post an update here when I know more.

Thank you again.

[mandville]

please get the dev to follow the standard vel procedures. their listing has been unpublished from the jed

[joombah]

Hi,

Zaki here from JoomBah.com, may I get some more information how vulnerability is occuring. Any files that are uploaded are not runnable so if you can forward us any information on this I would greatly appreciate it.

[robertsm]

Zaki-
I just emailed you a link with additional information (the initial email notification from my host and the chat log for the support ticket that I opened after I was notified of the hack). Perhaps this will help.

Mandville: please let me know if you would like this information sent to you as well.

Matt

[joombah]

I can upload the jpg and doc file. But how is it that you were able to upload the php file. The upload feature in joombah jobs only allows certain extensions that are configured from the backend and this only happens if you allow the php file extension.

[robertsm]

My hosting provider has informed me that...

The extension of the file is .jpg, so the script couldn't be executed as a PHP file. However, with the right rewrite rules in the .htaccess file, .jpg files can be handled by the PHP interpreter, so having such a file in your account is not recommended.

Note: I use the stock Joomla .htaccess file and the recommended PHP settings.

I could be wrong, but it would appear that this is why the Joomla Media Manager checks MIME Types with mime_magic or fileinfo. From the Joomla Docs on Global Configuration and the Media Manager: http://docs.joomla.org/Global_configuration

Restrict Uploads. If set to “Yes” (the default and recommended setting) Joomla will restrict uploads to image file formats only. This restriction applies only to uploads by users with permission levels below Manager. The restriction only applies if the web server does not have installed either of the PHP modules Fileinfo or mime_magic. These modules are used to detect the type of a file independently of its name extension. They are used in Joomla – if available – to enhance site security by confirming that any uploads are not a file format that could be used for malicious purposes.

[joombah]

So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file. JoomBah Jobs has no such file or .htaccess that can do this.

Again let us mentioned back that JoomBah Jobs has the upload feature that only allows certain extensions that are configured from the backend and the php file could only be uploaded if you allow the php file extension.

[robertsm]

First: Understand that I am not a security expert, nor am I a programmer.

Second, regarding this:

So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file.

As previously mentioned, I am not implementing anything other than the standard joomla .htaccess file and the suggested Joomla server configurations.

At this point, it seems pointless for us to keep going on about this. I cannot with authority say that Joombah is or is not secure. You seem upset, rightfully so, and you seem to want to blame me for this. Again, that is understandable. Please note, however, that I have posted my FPAs & htaccess file above for everyone to scrutinize. Given this, unless you need me to provide additional information I won't be responding to these tit-for-tat postings. I'll let you sort this out with mandville.

[mandville]

Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads

[joombah]

Hi mandville,
attached is the upload configuration that is pre-configured in joombah jobs.

[robertsm]

Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads

What Zaki (Joombah) has posted is the same as my configuration, except that since the hack I have removed the ability to upload image files from the Job Seeker Resume/CV configuration. Prior to this hack I saw no reason to change these settings, let alone to allow PHP scripts to be uploaded.

Regarding the uploads, I should clarify something: My host did delete 2 files from my site that were found in the Joombah Resume/CV upload folder...
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/wp mail.php
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908403.php

While reviewing my site (after the hack) I found an additional PHP file, masquerading as an image file:
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908388.jpg

mandville,
About 9 hours ago I sent Zaki a link to download the initial notification from my host and the subsequent tech support chat, that may have more information that you would be interested in. I can also send you a link for the fake image file. Please let me know if you would like me to PM you this information.

Matt

[mandville]

Please send relevant files and info to vel@joomla.org

[robertsm]

Please send relevant files and info to vel@joomla.org

I just sent additional information to you and Zaki (Joombah). I hope it helps to sort this out.
Thank you again.

[robertsm]

Question: globally speaking, if the Media Manager blocks PHP scripts that are disguised as image files (such as by changing the file extension), wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?

[mandville]

wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?

very logical

not sure why image files would be uploaded to a resume area.

[robertsm]

mandville - did you get the email from me regarding this issue, and if so is there any other information that I can provide?

[joombah]

Email that I have replied to vel@ joomla.org without the space

Whilst the fake image file was found on your server and in the location of a joombah jobs directory I am still unable to repeat your findings. Uploading a php file onto the resume upload section is not possible nor will it be run if the extension is renamed to an allowed extension. The link to the fake image, will only be downloaded by a user (in this case the employer) or if someone knows the link. The image produced will be a broken link for Chrome and Mozilla. For Internet Explorer we have found that it shows the php text file but does not run it.

To our disadvantage I cannot prove that your joombah jobs upload configuration was not modified beforehand to allow php due to whatever reason that may have cause to allow someone access to your joomla admin site.

Thank you for your detailed report and for your host report, but unless we can repeat this or at least be shown how the upload (php file) was able to be uploaded with the joombah jobs upload configuration allowable list which does not include a php extension, we cannot deemed this to be a bug.

To be clear, a php file cannot be uploaded due to the allowed settings as per shown in the attachment. Nor can a fake image or document file can be made runnable on the server (it will only be downloadable).

End email

[robertsm]

For those of you following this thread: The developer has acknowledged the vulnerability and is working on a patch/update.

[sitesrus]

That's good! It's tough with Joomla, extensions, etc. too many wheels in motion...there's only so much you can do with a server so it's up to developers to address security issues and stay ahead of the curve.

I do believe there's security extensions in Joomla aimed at providing some added layers of protection which is nice. I also do all I can on our end to screen out as much as possible to at least limit threats to humans. But again, bad php code the humans will get right in there!

[mandville]

[topic locked as under investigation]

[PhilD]

I understand locking the topic during investigation and to prevent unnecessary comments being posted during this time, but I feel the following issue has been ignored in the topic to this point and it is important enough to warrant an additional posting at this time.

An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.

Giving execute permission to other is just about as good as being wide open (777) as it allows for execution of scripts placed within directories such as the one discussed.

Giving full (777) permissions to Group is just as bad if not worse.

Here is the number system in unix

r w x
4 2 1

This is what the OP site has for file permissions

775 = rwx rwx r-x
Owner has Read, Write and Execute
Group has Read, Write and Execute
Other has Read and Execute only

The permissions on files should be:

644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only

Permissions on directories should be:

755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only

I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: viewtopic.php?f=621&t=582854

[robertsm]

An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.

I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: viewtopic.php?f=621&t=582854

PhilD,
Thank you for this. Yes, this is an issue that needs to be addressed. When it first came up I thought it might be a Joombah installation issue, but I just installed a test/clean install of Joomla 2.5.8 with current release of Joombah. I then ran the FPA on this test install and I received no report of any elevated permissions. It would be exceedingly stupid of me to have set those permissions manually (there would be no reason to and I assure you I did not), so I'm left to assume that it is left over from the hacker.

Regarding the Security Checklist: I have gone over them, but obviously not addressed the file permissions. I did not change those items prior to running the FPA because I wanted to show as close as possible what the system environment was at the time of the hack (with the exception that I did upgrade Joomla ASAP after the event). Post-event I have also been working with my hosting tech support (ICDSoft) and they have been wonderful at assisting with the scanning & clean up.

Mea Culpa for the above. Those were my issues and not the developers.

Now to the meat & potatoes of the issue: Approximately 35 hours ago (9:30PM CST on Nov 16, 2012) the dev & I exchanged emails regarding this issue, on which vel@joomla.org was CC'd. Have you seen or reviewed those emails? They are relevant to this issue.

Thanks again for bringing the file permission issue to my attention.

[leolam]

I do disagree completely indeed so good you retracted the Joombah finger pointing. Class!. We have multiple sites with Joombah on our owned servers and that extension has not been hacked. (I have send this morning a PMB to Mandville btw related to another huge attack on all Joomla sites).

This described particular hack attempt we see on hourly basis to all servers and it is a very well known exploit (php.hide). We have mechanism in place that intercepts these attempts and quarantines these exploits before they even reach the server.

Simple fact is that if you have the frontdoor wide open and you go out for shopping do not be amazed that the house is empty upon return. Still though with a good hosting setup even with 755-permissions it would not have reached the server if your host would have proper security in place. Phil is 100% right here btw.

Leo