I have a question. I have 2 sites that have been hacked over the weekend. 1 has been hacked twice in the last 2 weeks. The hosting company thinks they are getting in thru one of the modules XoopsGallery. If I install the Protector will this help with these hacks? Does it protect all modules or just Xoops Core?
Thanks
David Harley
How can I tell which modules are vulnerable? The hosting company believes it was XoopsGallery that they hacked into.
I don't use the affected version of xoopsgallery, but here is a hack that catches the POC. Add these lines just before the final "}" in TRUST PATH modules/protector/include/postcheck_functions.php
// xoopsgallery protection hack
if( isset($_GET['GALLERY_BASEDIR'])) {
if((substr($_GET['GALLERY_BASEDIR'],0,5)=='http:') ||
(substr($_GET['GALLERY_BASEDIR'],0,4)=='ftp:')) {
die("xoopsgallery remote file include attack");
}
}
Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.
Good luck,
-Richard
I read
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=62321&forum=4&post_id=281125and
http://packetstormsecurity.org/0801-exploits/xoopsgal-rfi.txtQuote:
rgriff59 wrotes:
Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.
No. It looks not enough.
LFI still exists even with your patch.
You have to add some lines into mainfile.php instead of Protector, at least.
if( isset($_GET['GALLERY_BASEDIR'])) {
die("xoopsgallery remote file include attack");
}
And I have to say "stop using such an organic vulnerable module right now".
This warning will continue until all of stupid code like "extract($_GET);" are eliminated in the module.
A news in xoops.org
http://www.xoops.org/modules/news/article.php?storyid=4093Quote:
we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.
inactivate sounds non sense.
This kind of RFI targets just a file.
Remove all files from your server just after backing up it.
And I cannot find XoopsGallery 2.1+ at all.
Have they checked 2.1+ secure enough?