Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-04-2012, 10:55 PM
TheAdmiral TheAdmiral is offline
 
Join Date: Jan 2010
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security Issue ?

I'm just an admin at a site running 3.8.5; I don't have the licensing info, so I couldn't post this in the proper forum. I'm sorry.

I've recently discovered a PHP injection scheme using the "Upload from URL" feature.

Here's the scenario:

1) Someone creates a URL on their own server that looks like an image url (allowed attachment type).

2) Their server dynamically changes the mime content type to txt/php.

3) Once the attachment is uploaded, the user can run the script directly out of their attachments folder... eg... user ID of 123... script name of exploit.php gives--

www.yourserver.com/attachments/1/2/3/exploit.php

Maybe this has been reported before; but we've had a script kiddie inject an email script into our server, and he's been sending spam from it.


Maybe there's another way to get a php file uploaded through the attachments--we're certainly not allowing any php extensions in our allowed extensions.


Thanks
F.
Reply With Quote
  #2  
Old 03-04-2012, 11:24 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

.php extension shouldn't really be allowed to be uploaded.

In a sane environment, the attachment directory shouldn't be accessible from the web as well.
It's not really a security hole, rather than the way php scripts work combined with poor server/forum configuration which makes misuse possible.
Reply With Quote
  #3  
Old 03-05-2012, 12:39 AM
TheAdmiral TheAdmiral is offline
 
Join Date: Jan 2010
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks.

Perhaps we can have our host restrict browsing in the attachments folder (which is in side the httpdocs--document root, making it accessible through http)

--------------- Added [DATE]1330925858[/DATE] at [TIME]1330925858[/TIME] ---------------

A little more investigation led me here:

https://www.vbulletin.com/forum/show...t-please-check

That script is similar to the one we found on our site (twice).

We've put .htaccess files in the custom* directories, as well as the root of the attachments directory. Hopefully that will deny all future access to injected PHP on the forum.


Thanks again,
F
Reply With Quote
  #4  
Old 03-05-2012, 06:51 AM
DivisionByZero's Avatar
DivisionByZero DivisionByZero is offline
 
Join Date: Dec 2002
Location: South Bend, Indiana
Posts: 485
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is why it's long been the standard that the attachments repository be located outside the webroot. As a temporary measure, it's best to disable the PHP interpreter altogether for the attachments directory. This means that no matter what extension a file is masqueraded as, the PHP executable will not parse it.
Reply With Quote
  #5  
Old 03-05-2012, 10:03 AM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

http://php.net/manual/en/apache.configuration.php
http://www.electrictoolbox.com/disab...ache-htaccess/
https://www.vbulletin.com/docs/html/...rage_db_to_fs1
Reply With Quote
  #6  
Old 03-05-2012, 03:40 PM
TheAdmiral TheAdmiral is offline
 
Join Date: Jan 2010
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks guys. Seems the configuration was fubar from the start. If it were me, we'd start over.
We're good now, though.
Reply With Quote
  #7  
Old 03-05-2012, 04:21 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Title updated to avoid confusion.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:00 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09883 seconds
  • Memory Usage 2,214KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete