Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerabil

JP Vossen on 28 Apr 2009 12:22:22 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerability?

From: JP Vossen <jp@jpsdomain.org>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerability?

Date: Tue, 28 Apr 2009 15:22:13 -0400

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

> Date: Tue, 28 Apr 2009 07:39:13 +0200 > From: sean finney <seanius@seanius.net > On Mon, Apr 27, 2009 at 06:54:23PM -0400, Michael Lazin wrote: >> trator/index2.php HTTP/1.1" 200 142884 www.xxx.com >> "http://www.xxx.com/administrator/index2.php? >> option=com_content&sectionid=0&mosmsg=1%20\xe6\x9d\xa1 [...] > while initially kinda scary, this doesn't look like shell > code/exploit. try this: > printf '1 \xe6\x9d\xa1\xe7\x9b\xae [...] \xe6\xb4\xbb' > foo.txt > (%20 == space which i manually replaced) > > cat foo.txt: > 1 ?????????: ????, ??: ????? > > (for those without proper utf8 support, that's a blob of chinese > text). > asking google to translate: > 1 entry successfully copied to the unit: All articles, Category: > Canada Life Humm, is it possible that Michael's customer is now hosting a phishing site, or part of one? I've seen that happen on Joomla. Take a look through the web server logs and see if you find result code '200' for unexpected stuff. If you are not using SEO/"friendly" it might be hard to define "unexpected" though. Depending on site size you might want to just crawl/mirror the entire site and then grep the resulting flat files. Also take a look through the Joomla directories (esp. image/upload ones) and see if you can find bogus files. I've been extremely disappointed with the lack of security in Joomla, and would not personally use it. But I'm not sure what else is better, all of those CMS' seem rife with holes, and very tedious to keep up-to-date. For next time, take a look at the 'fcheck' package in the Debian/Ubuntu repos. It's too late now, but installing that on a known good install (before connecting to the 'Net) is useful. It wouldn't cover Joomla out of the box, but adding coverage is trivial. (Note there are other tools that are arguably better or more secure, I like fcheck because it's so simple to install and use that I will actually install and use it, unlike, say, tripwire.) It won't help with SQL injection, but if configured right will tell you when any important "system" files change. So you get a giant report after an 'aptitude update', which is a useful sanity/change control check. Good luck, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| http://bashcookbook.com/ My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: [PLUG] Dell and Coreboot

Next by Date: [PLUG] Creating a large, multiple device read-only file system

Previous by thread: Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerability?

Next by thread: [PLUG] Dell and Coreboot

Index(es):

Date

Thread