Story.php exploit?
I received this in my MSN chat... (slightly editied)
[03:00] mmsuser: hi rob
[03:01] mmsuser: there might be a possible exploit in story.php
[03:05] mmsuser: have you heard of anything
[03:05] mmsuser: bye for now
[03:05] *** "mmsuser" signed off at Fri Jun 09 03:05:06 2006.
[08:52] modmysite: hi -
[08:52] modmysite: do you have any specifics?
[08:53] modmysite: perhaps an apache log entry?
Smoge
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
story.php
The vulnerability allows the user to send an email from your server. So it will appear the email even thought not sent by you came from your server.
Donot have any apache logs as they rotate every 24 hours and I picked it up latter.
I run postfix and have since upgraded it to the latest version.
I picked it up when I looked at the mail headers
X-Apparently-To: Mysite@yahoo.com via xxx.xx.xx.xx; Wed, 31 May 2006 19:00:20 +0000
X-YahooFilteredBulk: My ip address
X-Originating-IP: [my ip address]
Return-Path: <websrv@myserver.com>
Authentication-Results: mta110.mail.ukl.yahoo.com from=HOTMAIL.COM; domainkeys=neutral (no sig)
Please note I use an yahoo email for my site email correspondence.
So you can see above the originating ip is my server ip address even thought the email was sent by somebody else.
The offending ip address = 87.251.136.134
Looking into how the php code was exploited in story.php but any help would be great.
Last edited by ijk; 06-09-2006 at 07:00 AM.
AE Version 4.0 IQ
What aedating version?
Your sig says "AE Version 4.0 IQ", but v4.1 is IQ.
So I am not sure if you had this in v4.0 or v4.1?
Please clarify.
Thanks,
Rob
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
Quick look at v4.0.2 story.php - if it was me, I would add to all the functions that don't have it, like
function MemberAddStory()
function MemberEditStory()
below the globals
$member[ID] = (int)$member[ID];
Not sure if this is it or not, without more information.
Smoge
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
version
it is version 4.0 because I thought IQ came out with version 4.
Also story.php in both version 4.0 and version 4.1 runing ULTRACOMPARE on it ..............are both identical.
Last edited by ijk; 06-09-2006 at 07:28 PM.
AE Version 4.0 IQ
It would be really helpful if the PATCH number was included. By telling me you are running v4.0 or v4.1 - it really does not give enough information. The patch number is critical.Originally Posted by ijk
Now, without you (and others) giving this information - I have to guess. And I usually guess lastest patch (but it's a guess, so it could be wrong). I have no way of knowing the version and patch you are running unless you put it in your post or signature.
So, looking at the latest patch of v4.0(.2) and v4.1(.4), story.php is not identical.
v4.0.2 has 309 lines, while v4.1.4 has 295 lines.
Changes in the functions too!
Giving the patch number really helps - saves time and hassle.
Anyways - my inital suggestion, with the lack of more data (like an apache log, which is normally available for more than 24 hours, as it gets archived by the system), stands, with the
addition. It may need more - but a log entry would be the fastest way to discover IF, and what, is being exploited, in this script.Code:$member[ID] = (int)$member[ID];
Smoge
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
hi
well trying my best to get the logs but have set them to rotate every 24 hours so I think they have been deleted.
the story.php I use it identical to the story.php in 4.1004
AE Version 4.0 IQ
exploit
the above fix suggested does not prevent the exploit. as it took place after I had applied the above code. again forgot to check or save the logs as have been very busy. but I think the person is going to do it again so will be waiting.
AE Version 4.0 IQ
Hi,
Usually when logs rotate - they will be .gz'd - in the format:
access_log.1.gz, access_log2.gz, and so on and error_log.1.gz, error_log.2.gz, and so on.
They usually stick around for a month or so (default config, on a normally busy site).
Depending on your apache setup - they may be in a couple locations. /var/log/httpd or in your /home directory for the site.
SSH in, and try a "locate access_log.1.gz" and see if you get any hits. You may need to update your locate database with "locate -u".
Smoge
Smoge
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
definate exploit
this is a definate exploit.
I have deleted the story.php file form my site as was not using it anyway.
AE Version 4.0 IQ
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks