Go Back   vb.org Archive > Community Discussions > Forum and Server Management
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 04-19-2012, 06:42 AM
viper357's Avatar
viper357 viper357 is offline
 
Join Date: Dec 2006
Location: Worthing, UK
Posts: 563
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Possible security issue with a mod, hack attempt?

Hi everyone

I got some strange database errors this morning which seemed to emanate from the vbimagehosting mod. I'm not sure if it is anything to be concerned about as I've got no idea what it all means, but maybe someone has found a security flaw in the mod? These are a few of the errors I was receiving, take note of the end of the url's.

Code:
http://*****.com/vbimghost.php?do=userlist&pp=20&page=/etc/passwd
Code:
http://*****.com/vbimghost.php?do=userlist&pp=20&page=/../../../../../../../../../../etc/passwd
Code:
http://*****.com/vbimghost.php?do=userlist&pp=20&page=/etc/passwd%00
Code:
http://*****.com/vbimghost.php?do=userlist&pp=20&page=/proc/self/environ%00
Should I be worried? To me it looks like someone is trying to access passwords or something?

Thanks.
Reply With Quote
  #2  
Old 04-19-2012, 12:12 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, it looks like someone was trying to use a security hole to read files from your system. But trying doesn't mean they were successful (or that the "hole" they were trying actually exists in your forum). You said you saw database errors? What did they look like? (BTW, I tried it once myself so that latest error was just me).

The latest code for that mod looks like it treats the 'page' parameter correctly, but maybe older versions (of the mod or of vb) had a problem.
Reply With Quote
  #3  
Old 04-19-2012, 02:33 PM
viper357's Avatar
viper357 viper357 is offline
 
Join Date: Dec 2006
Location: Worthing, UK
Posts: 563
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, thanks for the reply, this is one of the database errors, I got about 10, some with different URL's that they were obviously trying.
Code:
Database error in vBulletin 3.8.5:

Invalid SQL:
select user.username,  img.userid,count(*) imgcnt FROM vbimghost as img LEFT JOIN user as user ON  img.userid = user.userid where imgprivate =0 group by user.username LIMIT  -20,20;

MySQL Error   : You have an error in your SQL syntax; check the  manual that corresponds to your MySQL server version for the right syntax to use  near '-20,20' at line 1
Error Number  : 1064
Request Date  : Thursday,  April 19th 2012 @ 08:16:39 AM
Error Date    : Thursday, April 19th 2012 @  08:16:39 AM
Script        : http://www.marineaquariumsa.com/vbim.../../etc/passwd
Referrer       : 
IP Address    : removed
Username      :  Unregistered
Classname     : vB_Database
MySQL Version :
Reply With Quote
  #4  
Old 04-19-2012, 03:41 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ban the ips trying to hack and update to 3.8.7 Patch Level 2
Reply With Quote
  #5  
Old 04-19-2012, 04:56 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There's a slight issue in that mod, in that if you pass a string as the 'page' parameter it becomes page 0 and generates a starting LIMIT in the query of -20 which is invalid (first page is 1 so 0 is invalid). But that doesn't create a security issue, and even if it did allow you to modify the sql, putting a file name there wouldn't read the file. So I don't think you have anything to worry about.

BTW, the ip address in the above error is mine, so please everybody don't start banning me.
Reply With Quote
  #6  
Old 04-19-2012, 04:56 PM
viper357's Avatar
viper357 viper357 is offline
 
Join Date: Dec 2006
Location: Worthing, UK
Posts: 563
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
ban the ips trying to hack
Yip, I've done that in the admin panel, thanks.
Quote:
and update to 3.8.7 Patch Level 2
Yeah I need to do that one day, it's just I've got so many manually edited templates, lol.

--------------- Added [DATE]1334858362[/DATE] at [TIME]1334858362[/TIME] ---------------

Quote:
Originally Posted by kh99 View Post
There's a slight issue in that mod, in that if you pass a string as the 'page' parameter it becomes page 0 and generates a starting LIMIT in the query of -20 which is invalid (first page is 1 so 0 is invalid). But that doesn't create a security issue, and even if it did allow you to modify the sql, putting a file name there wouldn't read the file. So I don't think you have anything to worry about.

BTW, the ip address in the above error is mine, so please everybody don't start banning me.
Ok, thanks for the help. Sorry about the IP address , I've removed it from my post.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:33 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03826 seconds
  • Memory Usage 2,214KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete