JP Vossen on 28 Apr 2009 12:22:22 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] slightly off topic, joomla fireboard sql injection vulnerability?


 > Date: Tue, 28 Apr 2009 07:39:13 +0200
 > From: sean finney <seanius@seanius.net
 >

On Mon, Apr 27, 2009 at 06:54:23PM -0400, Michael Lazin wrote:
 >> trator/index2.php HTTP/1.1" 200 142884 www.xxx.com
 >> "http://www.xxx.com/administrator/index2.php?
 >> option=com_content&sectionid=0&mosmsg=1%20\xe6\x9d\xa1 [...]

 > while initially kinda scary, this doesn't look like shell
 > code/exploit.  try this:

 > printf '1 \xe6\x9d\xa1\xe7\x9b\xae [...] \xe6\xb4\xbb' > foo.txt
 > (%20 == space which i manually replaced)
 >
 > cat foo.txt:
 > 1 ?????????: ????, ??: ?????
 >
 > (for those without proper utf8 support, that's a blob of chinese
 > text).
 > asking google to translate:
 > 1 entry successfully copied to the unit: All articles, Category:
 > Canada Life

Humm, is it possible that Michael's customer is now hosting a phishing 
site, or part of one?  I've seen that happen on Joomla.

Take a look through the web server logs and see if you find result code 
'200' for unexpected stuff.  If you are not using SEO/"friendly" it 
might be hard to define "unexpected" though.  Depending on site size you 
might want to just crawl/mirror the entire site and then grep the 
resulting flat files.  Also take a look through the Joomla directories 
(esp. image/upload ones) and see if you can find bogus files.

I've been extremely disappointed with the lack of security in Joomla, 
and would not personally use it.  But I'm not sure what else is better, 
all of those CMS' seem rife with holes, and very tedious to keep up-to-date.

For next time, take a look at the 'fcheck' package in the Debian/Ubuntu 
repos.  It's too late now, but installing that on a known good install 
(before connecting to the 'Net) is useful.  It wouldn't cover Joomla out 
of the box, but adding coverage is trivial.  (Note there are other tools 
that are arguably better or more secure, I like fcheck because it's so 
simple to install and use that I will actually install and use it, 
unlike, say, tripwire.)  It won't help with SQL injection, but if 
configured right will tell you when any important "system" files change. 
  So you get a giant report after an 'aptitude update', which is a 
useful sanity/change control check.

Good luck,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug