PDA

View Full Version : Security Issue ?


TheAdmiral
03-04-2012, 10:55 PM
I'm just an admin at a site running 3.8.5; I don't have the licensing info, so I couldn't post this in the proper forum. I'm sorry.

I've recently discovered a PHP injection scheme using the "Upload from URL" feature.

Here's the scenario:

1) Someone creates a URL on their own server that looks like an image url (allowed attachment type).

2) Their server dynamically changes the mime content type to txt/php.

3) Once the attachment is uploaded, the user can run the script directly out of their attachments folder... eg... user ID of 123... script name of exploit.php gives--

www.yourserver.com/attachments/1/2/3/exploit.php

Maybe this has been reported before; but we've had a script kiddie inject an email script into our server, and he's been sending spam from it.


Maybe there's another way to get a php file uploaded through the attachments--we're certainly not allowing any php extensions in our allowed extensions.


Thanks
F.

Disasterpiece
03-04-2012, 11:24 PM
.php extension shouldn't really be allowed to be uploaded.

In a sane environment, the attachment directory shouldn't be accessible from the web as well.
It's not really a security hole, rather than the way php scripts work combined with poor server/forum configuration which makes misuse possible.

TheAdmiral
03-05-2012, 12:39 AM
Thanks.

Perhaps we can have our host restrict browsing in the attachments folder (which is in side the httpdocs--document root, making it accessible through http)

--------------- Added 1330925858 at 1330925858 ---------------

A little more investigation led me here:

https://www.vbulletin.com/forum/showthread.php/390350-hacking-attempt-script-please-check

That script is similar to the one we found on our site (twice).

We've put .htaccess files in the custom* directories, as well as the root of the attachments directory. Hopefully that will deny all future access to injected PHP on the forum.


Thanks again,
F

DivisionByZero
03-05-2012, 06:51 AM
This is why it's long been the standard that the attachments repository be located outside the webroot. As a temporary measure, it's best to disable the PHP interpreter altogether for the attachments directory. This means that no matter what extension a file is masqueraded as, the PHP executable will not parse it.

Disasterpiece
03-05-2012, 10:03 AM
http://php.net/manual/en/apache.configuration.php
http://www.electrictoolbox.com/disable-php-apache-htaccess/
https://www.vbulletin.com/docs/html/attachment_storage_db_to_fs1

TheAdmiral
03-05-2012, 03:40 PM
Thanks guys. Seems the configuration was fubar from the start. If it were me, we'd start over.
We're good now, though.

Paul M
03-05-2012, 04:21 PM
Title updated to avoid confusion.