Greenguy's Board - View Single Post - Security Advisories for multiple products

cd34 · 2006-05-16, 12:37 PM

Recently, we've seen a huge number of exploits running through commonly installed software -- software that usually has already released a fix. However, you may not have even known that there was an upgrade.

If you are running any of the following software, take a few minutes to check and see that you are running the latest version.

Vbulletin, 3.5.4 (or, have applied the diffs to upgrade the two .php files that are exploitable)

PHPBB, 2.0.20 -- mostly bug fixes in the recent version. 2.0.19 released in December fixed an authentication leak. 2.0.18 was released in October 2005 which fixed a hole allowing remote scripts to be installed.

Invision Power Board - 2.15 - SQL Injection, Remote script execution, ability to upload images with malicious html/javascript code.

Autolinks -- ages ago, this had an issue with al_initialize.php being able to be used to launch attacks. This has been fixed, but, should be upgraded to the latest version.

phpmyadmin -- 2.8.0.4 is the most recent version and fixes a few issues allowing remote code execution.

phpadsnew -- 2.0.8, earlier versions allow remote code execution through adxmlrpc.php. Upgrading is rather straightforward. Make a backup of config.inc.php, upload the files, chmod 777 config.inc.php, log in, it'll run the upgrade automatically, chmod 644 config.inc.php. Even 2.0.7 released in March is able to be compromised.

wordpress -- if you are not running 2.0.3, there is a remote code exploit. The wordpress upgrade is pretty simple and straightforward.

awstats -- 6.6, 6.5 has an entry point that could allow remote code execution.

sitedepth -- ask them for an updated copy of constants.php. Special thanks to three people for forwarding that info -- if you want attribution, let me know and I'll modify the entry here.

--- Forwarded from 'someone'
I-RATER -- They emailed out a new "common.php" on April 26th. With spam filters and the php file being an attachment, it may not have made it to a lot of people.

The email body __________________________

"We have been made aware of a security vulnerability in ALL versions of
I-RATER PLATINUM allowing a remote user to exploit the common.php
"include_path" Parameter Remote File Inclusion.

Users should replace the attached common.php file immediately.
Many thanks
I-RATER DEV TEAM
________________________________________

phpBazar version 2.10 -- if you are running an older version there are numerous holes that allow remote code execution.

If you are using mailform software, verify that you are running the newest version. In recent months, scripts have been scanning machines for vulnerable mailform scripts. If you're seeing a lot of email from submission forms, you might want to take a look as you might be relaying spam unknowingly.

If your webhost runs apache without running setuid, have them run the following check on your web directories:

find . -name \*.php -user www-data -print > /tmp/webownedphp

replace www-data with the username that the webserver runs as. If you admin your own machine, try:

ps aux | grep http
or
ps aux | grep apache

in the first column, there should be a listing of usernames, perhaps nobody, or www or www-data.

Once you have done that, more /tmp/webownedphp, then, take a look to make sure those scripts look valid. If you see an ascii picture of a spider or a lot of cyrillic characters that you don't recognize, its probably a remote shell program. With that, they can get in and run remote scripts as the web user. Those scripts can attach to irc servers and launch denial of service attacks, they can launch spam engines, or, all sorts of other nasty things.

Another attack that we have recently seen is the inclusion of javascript on web pages. Some of these are scripts that are loaded that run remotely and try to change every file they can, while others actually log in with FTP, grab a file, modify it, put the file back in place and log out. There's no hunting around for the right file, no authentication errors, nothing that suggests that they don't have the exact username/password that you use.

What this says is either the person has used spyware or a keylogger to get the user/password, or, each of the people this has happened to has used the same user/password combination somewhere -- and the people were able to determine the connection of the user/password with the domain involved.

Tommy keeps an address book with each sponsor's site name and the unique user/pass for each of those sites tucked away. A different username/password combination is used for email, ftp, each server, each sponsor account, each online login that you have. Cleo uses a program on her mac that stores it away electronically behind a password.

Either way you do it, you need to make sure that you use different username/password combinations everywhere so that a single compromised password doesn't ruin everything you've worked towards. And passwords need to be strong. Easy to guess dictionary words are terrible. Letters, numbers, and punctuation (some sponsor programs don't allow this) all make it more difficult to guess. If you have trouble remembering passwords, refer to that black book.

However, as one client of mine found out, after a nasty divorce, his house was broken into when he was out of town and his black book was stolen. Nothing else in the house was touched. Guard that book well as it is just as valuable as storing the passwords online.

Remember, if your site is hacked, that could directly affect your revenue and in some cases, jeopardize your site staying up. Many hosting companies will shut down a server that generates complaints -- making it impossible for you to fix remotely.

2006-05-16, 12:37 PM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Security Advisories for multiple products Recently, we've seen a huge number of exploits running through commonly installed software -- software that usually has already released a fix. However, you may not have even known that there was an upgrade. If you are running any of the following software, take a few minutes to check and see that you are running the latest version. Vbulletin, 3.5.4 (or, have applied the diffs to upgrade the two .php files that are exploitable) PHPBB, 2.0.20 -- mostly bug fixes in the recent version. 2.0.19 released in December fixed an authentication leak. 2.0.18 was released in October 2005 which fixed a hole allowing remote scripts to be installed. Invision Power Board - 2.15 - SQL Injection, Remote script execution, ability to upload images with malicious html/javascript code. Autolinks -- ages ago, this had an issue with al_initialize.php being able to be used to launch attacks. This has been fixed, but, should be upgraded to the latest version. phpmyadmin -- 2.8.0.4 is the most recent version and fixes a few issues allowing remote code execution. phpadsnew -- 2.0.8, earlier versions allow remote code execution through adxmlrpc.php. Upgrading is rather straightforward. Make a backup of config.inc.php, upload the files, chmod 777 config.inc.php, log in, it'll run the upgrade automatically, chmod 644 config.inc.php. Even 2.0.7 released in March is able to be compromised. wordpress -- if you are not running 2.0.3, there is a remote code exploit. The wordpress upgrade is pretty simple and straightforward. awstats -- 6.6, 6.5 has an entry point that could allow remote code execution. sitedepth -- ask them for an updated copy of constants.php. Special thanks to three people for forwarding that info -- if you want attribution, let me know and I'll modify the entry here. --- Forwarded from 'someone' I-RATER -- They emailed out a new "common.php" on April 26th. With spam filters and the php file being an attachment, it may not have made it to a lot of people. The email body __________________________ "We have been made aware of a security vulnerability in ALL versions of I-RATER PLATINUM allowing a remote user to exploit the common.php "include_path" Parameter Remote File Inclusion. Users should replace the attached common.php file immediately. Many thanks I-RATER DEV TEAM ________________________________________ phpBazar version 2.10 -- if you are running an older version there are numerous holes that allow remote code execution. If you are using mailform software, verify that you are running the newest version. In recent months, scripts have been scanning machines for vulnerable mailform scripts. If you're seeing a lot of email from submission forms, you might want to take a look as you might be relaying spam unknowingly. If your webhost runs apache without running setuid, have them run the following check on your web directories: find . -name \*.php -user www-data -print > /tmp/webownedphp replace www-data with the username that the webserver runs as. If you admin your own machine, try: ps aux \| grep http or ps aux \| grep apache in the first column, there should be a listing of usernames, perhaps nobody, or www or www-data. Once you have done that, more /tmp/webownedphp, then, take a look to make sure those scripts look valid. If you see an ascii picture of a spider or a lot of cyrillic characters that you don't recognize, its probably a remote shell program. With that, they can get in and run remote scripts as the web user. Those scripts can attach to irc servers and launch denial of service attacks, they can launch spam engines, or, all sorts of other nasty things. Another attack that we have recently seen is the inclusion of javascript on web pages. Some of these are scripts that are loaded that run remotely and try to change every file they can, while others actually log in with FTP, grab a file, modify it, put the file back in place and log out. There's no hunting around for the right file, no authentication errors, nothing that suggests that they don't have the exact username/password that you use. What this says is either the person has used spyware or a keylogger to get the user/password, or, each of the people this has happened to has used the same user/password combination somewhere -- and the people were able to determine the connection of the user/password with the domain involved. Tommy keeps an address book with each sponsor's site name and the unique user/pass for each of those sites tucked away. A different username/password combination is used for email, ftp, each server, each sponsor account, each online login that you have. Cleo uses a program on her mac that stores it away electronically behind a password. Either way you do it, you need to make sure that you use different username/password combinations everywhere so that a single compromised password doesn't ruin everything you've worked towards. And passwords need to be strong. Easy to guess dictionary words are terrible. Letters, numbers, and punctuation (some sponsor programs don't allow this) all make it more difficult to guess. If you have trouble remembering passwords, refer to that black book. However, as one client of mine found out, after a nasty divorce, his house was broken into when he was out of town and his black book was stolen. Nothing else in the house was touched. Guard that book well as it is just as valuable as storing the passwords online. Remember, if your site is hacked, that could directly affect your revenue and in some cases, jeopardize your site staying up. Many hosting companies will shut down a server that generates complaints -- making it impossible for you to fix remotely.