Also included is an updated login_register.php file which
fixes a bug where login_register.php could be accessed
directly even though the config.php $USE_REGISTRATION_MODULE
was turned off. It also specifically checks for this attack
and logs it.
--John
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Also included is an updated useradmin.php file which will
allow you to delete the hacked user if you happen to be
targeted before applying the other patch files.
--John
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The user registration attack is primarily targetting index
mode. The updated login_register.php file will prevent the
current expoloit from working. But I am also attaching an
updated authentication_index.php which will prevent code
from being written to the authenticate.php file.
--John
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After applying the patched files I lost the welcome page
settings (page completely blank (I use version 3.1).
After I set the welcome page to the default and save the
changes the changes are not shown on the welcome page (not
saved apparently)
Anyone else having the problem?
I was hit by this hacker (had a suntsu account), but was
able to remove the account.
I know this issue does not compare with the hacker's thread,
but having the welcome page back to normal in about a few
day would be nice.
Thanks,
Herbert
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
******** NOTE **************
If you are running PGV version 4.0 beta 3, DO NOT apply this
patch!!!! This patch is for 3.3.x (preferably 3.3.7) ONLY.
If you're on any version of 4.0 other than beta3 or Future
Branch CVS, you should upgrade to beta3 or Future Branch CVS
IMMEDIATELY. The patches have already been incorporated
into these versions. There are NO patches for earlier
versions of 4.0.
If you're on PGV 3.3.x, download and install all 4 patch
files.
Copy file 'authentication_index.php' to subdirectory
'includes'. Copy the other files to the main directory
where PGV is installed.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I updated http://phpgedview.net/index.php to clarify that
the patch is not for the 4.0 branch. Let me know if the text
is clear (most of it is just copied form your instructions
below).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Still getting penetrations into /phpGedView/media after
applying the patches to 3.3.7. Found the casus15.php,
login.php, back.txt and ciPsy.tar.gz all loaded into this
directory dated 30/12/05. There were also entries in /tmp so
at this stage I am very concerned about the extent of damage
to the server as a whole and will have to do a rkhunt and
possible re-install of the whole server :(.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
At this time it would be prudent to limit the MIME types of
media users can upload. I am still puzzled as to who would
take the time to register just to upload a back-door program.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As follow up - individuals are able to get access to the
system using a php tool called r57 and c99 which enable them
to access the system via help_text_vars.php. I simulated
the attempts using the tool links. In my case the person
then uploaded open source irc software into the
/phpGedView/media directory and then did the install of the
software. The files were all owned by www-data (std Debian
Apache structure). Because my firewall blocks the ports used
by the software it didn't work. Most of the attempts I have
seen over the last few weeks involve the php tools mentioned
above.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As further follow-up on this and some general advice for
others running phpGedView on Linux based systems.
The php tools being used (r57 and c99) can be used to gain
access to the whole file system. This means attackers may be
able to upload and install apps with the Apache user
authority. This also means they can have a crack at root as
well.
Installing mod_security into Apache httpd.conf together with
the rule sets at http://www.modsecurity.org will prevent the
use of these tools. modsecurity.org have already included
the exploit into their rulesets.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I recently applied the 3.3.8 security patches to my
personal web-based GedView installation, however when I
mouse-over the PHPGedView logo at the bottom of my GedView
home page it still thinks I am running 3.3.7.
I was expecting it to display 3.3.8.
Are the patches supposed to update the version displayed?
or did the patches not get applied properly??
Thanks in advance.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The version information comes from 'includes/session.php'.
Since the patches only update a selected portion of your
existing PhpGedView installation, you wouldn't see a new
version number.
I would advise you to download the most recent PhpGedView
version 3.3.8 distribution file, and update your existing
installation with this new version.
To do the update, you extract the entire set of files and
directories from the version 3.3.8 distribution file, and
then replace everything within the PhpGedView installation
directory on your server, except for the following:
file config.php
directory index
directory media
By keeping these three items, you're replacing all of
PhpGedView while retaining the existing configuration and
data files.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I upgraded to the full version of 3.3.8 as you suggested.
Everthing seems to be working OK, and I get an indication
I'm running 3.3.8 on the mouseover of the PHPGedView logo.
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=300048
Also included is an updated login_register.php file which
fixes a bug where login_register.php could be accessed
directly even though the config.php $USE_REGISTRATION_MODULE
was turned off. It also specifically checks for this attack
and logs it.
--John
Logged In: YES
user_id=300048
Also included is an updated useradmin.php file which will
allow you to delete the hacked user if you happen to be
targeted before applying the other patch files.
--John
Logged In: YES
user_id=1278885
Have these patches been applied to the CVS branches HEAD and
future?
Logged In: YES
user_id=300048
Yes, the patches are in both the MAIN and future branches of
the CVS.
--John
Logged In: YES
user_id=634811
They were added to both.
Logged In: YES
user_id=300048
The user registration attack is primarily targetting index
mode. The updated login_register.php file will prevent the
current expoloit from working. But I am also attaching an
updated authentication_index.php which will prevent code
from being written to the authenticate.php file.
--John
Logged In: YES
user_id=733843
After applying the patched files I lost the welcome page
settings (page completely blank (I use version 3.1).
After I set the welcome page to the default and save the
changes the changes are not shown on the welcome page (not
saved apparently)
Anyone else having the problem?
I was hit by this hacker (had a suntsu account), but was
able to remove the account.
I know this issue does not compare with the hacker's thread,
but having the welcome page back to normal in about a few
day would be nice.
Thanks,
Herbert
Logged In: YES
user_id=1216693
John, et al.:
Just a note to say "thanks" to all of you for the rapid
response to this threat.
Logged In: YES
user_id=1198414
******** NOTE **************
If you are running PGV version 4.0 beta 3, DO NOT apply this
patch!!!! This patch is for 3.3.x (preferably 3.3.7) ONLY.
If you're on any version of 4.0 other than beta3 or Future
Branch CVS, you should upgrade to beta3 or Future Branch CVS
IMMEDIATELY. The patches have already been incorporated
into these versions. There are NO patches for earlier
versions of 4.0.
If you're on PGV 3.3.x, download and install all 4 patch
files.
Copy file 'authentication_index.php' to subdirectory
'includes'. Copy the other files to the main directory
where PGV is installed.
Logged In: YES
user_id=634811
I updated http://phpgedview.net/index.php to clarify that
the patch is not for the 4.0 branch. Let me know if the text
is clear (most of it is just copied form your instructions
below).
Logged In: YES
user_id=1111339
Still getting penetrations into /phpGedView/media after
applying the patches to 3.3.7. Found the casus15.php,
login.php, back.txt and ciPsy.tar.gz all loaded into this
directory dated 30/12/05. There were also entries in /tmp so
at this stage I am very concerned about the extent of damage
to the server as a whole and will have to do a rkhunt and
possible re-install of the whole server :(.
Logged In: YES
user_id=1278885
At this time it would be prudent to limit the MIME types of
media users can upload. I am still puzzled as to who would
take the time to register just to upload a back-door program.
Logged In: YES
user_id=1111339
As follow up - individuals are able to get access to the
system using a php tool called r57 and c99 which enable them
to access the system via help_text_vars.php. I simulated
the attempts using the tool links. In my case the person
then uploaded open source irc software into the
/phpGedView/media directory and then did the install of the
software. The files were all owned by www-data (std Debian
Apache structure). Because my firewall blocks the ports used
by the software it didn't work. Most of the attempts I have
seen over the last few weeks involve the php tools mentioned
above.
Logged In: YES
user_id=1111339
As further follow-up on this and some general advice for
others running phpGedView on Linux based systems.
The php tools being used (r57 and c99) can be used to gain
access to the whole file system. This means attackers may be
able to upload and install apps with the Apache user
authority. This also means they can have a crack at root as
well.
Installing mod_security into Apache httpd.conf together with
the rule sets at http://www.modsecurity.org will prevent the
use of these tools. modsecurity.org have already included
the exploit into their rulesets.
Logged In: YES
user_id=1432705
I recently applied the 3.3.8 security patches to my
personal web-based GedView installation, however when I
mouse-over the PHPGedView logo at the bottom of my GedView
home page it still thinks I am running 3.3.7.
I was expecting it to display 3.3.8.
Are the patches supposed to update the version displayed?
or did the patches not get applied properly??
Thanks in advance.
Logged In: YES
user_id=1198414
The version information comes from 'includes/session.php'.
Since the patches only update a selected portion of your
existing PhpGedView installation, you wouldn't see a new
version number.
I would advise you to download the most recent PhpGedView
version 3.3.8 distribution file, and update your existing
installation with this new version.
To do the update, you extract the entire set of files and
directories from the version 3.3.8 distribution file, and
then replace everything within the PhpGedView installation
directory on your server, except for the following:
file config.php
directory index
directory media
By keeping these three items, you're replacing all of
PhpGedView while retaining the existing configuration and
data files.
Logged In: YES
user_id=1432705
I upgraded to the full version of 3.3.8 as you suggested.
Everthing seems to be working OK, and I get an indication
I'm running 3.3.8 on the mouseover of the PHPGedView logo.
Thanks
Logged In: YES
user_id=300048
This patch has been merged into the code and was included in the
lastest final version release.
Please download the newest release.
Thanks