PEAK XOOPS - XoopsGallery vulnerablity in englishin japanese

XoopsGallery vulnerablity

  • You cannot open a new topic into this forum
  • Guests cannot post into this forum

none Re: Protector

msg# 1
Previous post - Next post | Parent - Children.1 .2 .3 | Posted on 2008/1/8 4:39
dharley  ÆóÅùʼ   Posts: 2
I have a question. I have 2 sites that have been hacked over the weekend. 1 has been hacked twice in the last 2 weeks. The hosting company thinks they are getting in thru one of the modules XoopsGallery. If I install the Protector will this help with these hacks? Does it protect all modules or just Xoops Core?

Thanks

David Harley
Votes:14 Average:5.00

none Re: Protector

msg# 1.1
Previous post - Next post | Parent - Children.1 | Posted on 2008/1/8 4:59
GIJOE  ÀèǤ·³Áâ   Posts: 4110
Protector cannot cover all vulnerabilities of modules/cores.

It must be the best way to stop using vulnerable module.
There are too many vulnerable modules in xoops.org regrettably.

And don't forget removing all files from your site, before reinstalling XOOPS.
Such hackers often plant back-doors into hacked sites.
Votes:19 Average:4.21

none Re: Re: Protector

msg# 1.1.1
Previous post - Next post | Parent - No child | Posted on 2008/1/8 9:22
dharley  ÆóÅùʼ   Posts: 2
How can I tell which modules are vulnerable? The hosting company believes it was XoopsGallery that they hacked into.
Votes:18 Average:4.44
Previous post - Next post | Parent - Children.1 | Posted on 2008/1/9 13:05
rgriff59  ÆóÅùʼ   Posts: 1
I don't use the affected version of xoopsgallery, but here is a hack that catches the POC. Add these lines just before the final "}" in TRUST PATH modules/protector/include/postcheck_functions.php

// xoopsgallery protection hack
if( isset($_GET['GALLERY_BASEDIR'])) {
  if((substr($_GET['GALLERY_BASEDIR'],0,5)=='http:') || 
    (substr($_GET['GALLERY_BASEDIR'],0,4)=='ftp:')) {
       die("xoopsgallery remote file include attack");
  }
}

Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.

Good luck,
-Richard
Votes:20 Average:5.50
Previous post - Next post | Parent - No child | Posted on 2008/1/9 17:26
GIJOE  ÀèǤ·³Áâ   Posts: 4110
I read
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=62321&forum=4&post_id=281125
and
http://packetstormsecurity.org/0801-exploits/xoopsgal-rfi.txt

Quote:

rgriff59 wrotes:
Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.
No. It looks not enough.
LFI still exists even with your patch.
You have to add some lines into mainfile.php instead of Protector, at least.
if( isset($_GET['GALLERY_BASEDIR'])) {
       die("xoopsgallery remote file include attack");
}

And I have to say "stop using such an organic vulnerable module right now".
This warning will continue until all of stupid code like "extract($_GET);" are eliminated in the module.
Votes:17 Average:4.12
Previous post - Next post | Parent - No child | Posted on 2008/1/12 5:03 | Last modified
GIJOE  ÀèǤ·³Áâ   Posts: 4110
A news in xoops.org
http://www.xoops.org/modules/news/article.php?storyid=4093

Quote:
we advise you to upgrade to XoopsGallery 2.1+ or inactivate the module immediately until this issue is solved.

inactivate sounds non sense.

This kind of RFI targets just a file.
Remove all files from your server just after backing up it.

And I cannot find XoopsGallery 2.1+ at all.
Have they checked 2.1+ secure enough?
Votes:14 Average:5.00

  Advanced search


Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!