Search
Membership
Login:
Membership:
- New Today: 0
- New Yesterday: 0
- Overall: 3242
- Latest: GoodNews
Birthdays:
RomanasRJS
People Online:
- Guests: 279
- Total: 279
ATTENTION: security fix available Topics http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWPlU0
Unfortunatly some opn-sites has been attacked by a very special exploit. We (the dev team) has been informed by that about 10:30 april 30. After an analysis and first hotfixes the cause is as followed (15:00 april 30):
In your php.ini settings please look for the settings of:
First off:we recommend to enable "Encode the URL-Parameters" in administration-> settings -> security settings
security-fix:
A fixed version of the file "master.php" ist available in trunk and branch. If you do not use subversion there is also a zip file file with the updated master.php available for download:security fix - download
An updated opn package (2.3.5) will be published shortly containing all necessary security fixes. We strongly recommend to update as soon as possible.
At this time we do not have any reports that say the database has been corrupted. It is a direct defacement attack. A successful defacment involves additional files has been uploaded to your webspaces for future attacks of your sites. So a drastic cleanup of your system is needed.
scenario 1: up-to-date backup is available
scenario 2: no backup is available
Do not forget to check the "cgi-bin" directory (which in most cases is outside the html directory) for additional files placed by the hack.
Our recommendation:
- a special weak combination of php settings and opn settings is needed for a successful attack
- not all opn sites are concerned by that exploit
In your php.ini settings please look for the settings of:
- register_globals
- allow_url_fopen
First off:we recommend to enable "Encode the URL-Parameters" in administration-> settings -> security settings
security-fix:
A fixed version of the file "master.php" ist available in trunk and branch. If you do not use subversion there is also a zip file file with the updated master.php available for download:security fix - download
An updated opn package (2.3.5) will be published shortly containing all necessary security fixes. We strongly recommend to update as soon as possible.
At this time we do not have any reports that say the database has been corrupted. It is a direct defacement attack. A successful defacment involves additional files has been uploaded to your webspaces for future attacks of your sites. So a drastic cleanup of your system is needed.
scenario 1: up-to-date backup is available
- step 1. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
- step 2. restore your backup
scenario 2: no backup is available
- step 1. backup your "mainfile.php"
- step 2. backup the "cache" directory
- step 3. if you use a custom theme - backup it.
- step 4. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
- step 5. Upload the current (complete) opn package incl. the security fix
- step 6. Check your backuped "mainfile.php" for conspicuities and restore it
- step 7. Check your backuped "cache" directory for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
- step 8. Check your backuped theme for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
- step 9. adjust the directory rights to the ones named recommended in the documentation
Do not forget to check the "cgi-bin" directory (which in most cases is outside the html directory) for additional files placed by the hack.
Our recommendation:
- Backup - a continous backup is always a good idea
- If possible set php.ini setting "register_globals" to "off". (If this is not possible for you, encourage your hoster to do so. If he does not want to do that lookup for a another hoster).
Posted by xweber on 2006-05-01 10:52:55 (44644 * reads)
Comments
The comments are owned by the poster. We are not responsible for their content.
-
You can download the fixed 2.3.5 version as registered user from our website hier (see download section)
or
as anonymous from our sourceforge project page.