Menu

#307 3.3.7 (ONLY) security patch

closed-fixed
None
9
2006-07-11
2005-12-20
John Finlay
No

There have been recent attacks targeting the
help_text_vars.php file. This patch contains an
updated help_text_vars.php file for version 3.3.x.

--John

Discussion

  • John Finlay

    John Finlay - 2005-12-20
     
  • John Finlay

    John Finlay - 2005-12-20
     
  • John Finlay

    John Finlay - 2005-12-20

    Logged In: YES
    user_id=300048

    Also included is an updated login_register.php file which
    fixes a bug where login_register.php could be accessed
    directly even though the config.php $USE_REGISTRATION_MODULE
    was turned off. It also specifically checks for this attack
    and logs it.

    --John

     
  • John Finlay

    John Finlay - 2005-12-21

    Logged In: YES
    user_id=300048

    Also included is an updated useradmin.php file which will
    allow you to delete the hacked user if you happen to be
    targeted before applying the other patch files.

    --John

     
  • John Finlay

    John Finlay - 2005-12-21
     
  • Laie Techie

    Laie Techie - 2005-12-21

    Logged In: YES
    user_id=1278885

    Have these patches been applied to the CVS branches HEAD and
    future?

     
  • John Finlay

    John Finlay - 2005-12-21

    Logged In: YES
    user_id=300048

    Yes, the patches are in both the MAIN and future branches of
    the CVS.

    --John

     
  • KosherJava

    KosherJava - 2005-12-21

    Logged In: YES
    user_id=634811

    They were added to both.

     
  • John Finlay

    John Finlay - 2005-12-21
     
  • John Finlay

    John Finlay - 2005-12-21

    Logged In: YES
    user_id=300048

    The user registration attack is primarily targetting index
    mode. The updated login_register.php file will prevent the
    current expoloit from working. But I am also attaching an
    updated authentication_index.php which will prevent code
    from being written to the authenticate.php file.

    --John

     
  • Herbert Quartel

    Herbert Quartel - 2005-12-21

    Logged In: YES
    user_id=733843

    After applying the patched files I lost the welcome page
    settings (page completely blank (I use version 3.1).

    After I set the welcome page to the default and save the
    changes the changes are not shown on the welcome page (not
    saved apparently)

    Anyone else having the problem?

    I was hit by this hacker (had a suntsu account), but was
    able to remove the account.
    I know this issue does not compare with the hacker's thread,
    but having the welcome page back to normal in about a few
    day would be nice.

    Thanks,
    Herbert

     
  • relatedlines

    relatedlines - 2005-12-26

    Logged In: YES
    user_id=1216693

    John, et al.:

    Just a note to say "thanks" to all of you for the rapid
    response to this threat.

     
  • Gerry Kroll

    Gerry Kroll - 2005-12-26

    Logged In: YES
    user_id=1198414

    ******** NOTE **************
    If you are running PGV version 4.0 beta 3, DO NOT apply this
    patch!!!! This patch is for 3.3.x (preferably 3.3.7) ONLY.

    If you're on any version of 4.0 other than beta3 or Future
    Branch CVS, you should upgrade to beta3 or Future Branch CVS
    IMMEDIATELY. The patches have already been incorporated
    into these versions. There are NO patches for earlier
    versions of 4.0.

    If you're on PGV 3.3.x, download and install all 4 patch
    files.
    Copy file 'authentication_index.php' to subdirectory
    'includes'. Copy the other files to the main directory
    where PGV is installed.

     
  • Gerry Kroll

    Gerry Kroll - 2005-12-26
    • summary: help_text_vars.php security patch --> 3.3.7 (ONLY) security patch
     
  • Gerry Kroll

    Gerry Kroll - 2005-12-26
    • priority: 5 --> 9
     
  • KosherJava

    KosherJava - 2005-12-26

    Logged In: YES
    user_id=634811

    I updated http://phpgedview.net/index.php to clarify that
    the patch is not for the 4.0 branch. Let me know if the text
    is clear (most of it is just copied form your instructions
    below).

     
  • TigerOC

    TigerOC - 2006-01-08

    Logged In: YES
    user_id=1111339

    Still getting penetrations into /phpGedView/media after
    applying the patches to 3.3.7. Found the casus15.php,
    login.php, back.txt and ciPsy.tar.gz all loaded into this
    directory dated 30/12/05. There were also entries in /tmp so
    at this stage I am very concerned about the extent of damage
    to the server as a whole and will have to do a rkhunt and
    possible re-install of the whole server :(.

     
  • Laie Techie

    Laie Techie - 2006-01-08

    Logged In: YES
    user_id=1278885

    At this time it would be prudent to limit the MIME types of
    media users can upload. I am still puzzled as to who would
    take the time to register just to upload a back-door program.

     
  • TigerOC

    TigerOC - 2006-01-11

    Logged In: YES
    user_id=1111339

    As follow up - individuals are able to get access to the
    system using a php tool called r57 and c99 which enable them
    to access the system via help_text_vars.php. I simulated
    the attempts using the tool links. In my case the person
    then uploaded open source irc software into the
    /phpGedView/media directory and then did the install of the
    software. The files were all owned by www-data (std Debian
    Apache structure). Because my firewall blocks the ports used
    by the software it didn't work. Most of the attempts I have
    seen over the last few weeks involve the php tools mentioned
    above.

     
  • TigerOC

    TigerOC - 2006-01-12

    Logged In: YES
    user_id=1111339

    As further follow-up on this and some general advice for
    others running phpGedView on Linux based systems.
    The php tools being used (r57 and c99) can be used to gain
    access to the whole file system. This means attackers may be
    able to upload and install apps with the Apache user
    authority. This also means they can have a crack at root as
    well.
    Installing mod_security into Apache httpd.conf together with
    the rule sets at http://www.modsecurity.org will prevent the
    use of these tools. modsecurity.org have already included
    the exploit into their rulesets.

     
  • arlomaple76

    arlomaple76 - 2006-01-21

    Logged In: YES
    user_id=1432705

    I recently applied the 3.3.8 security patches to my
    personal web-based GedView installation, however when I
    mouse-over the PHPGedView logo at the bottom of my GedView
    home page it still thinks I am running 3.3.7.
    I was expecting it to display 3.3.8.
    Are the patches supposed to update the version displayed?
    or did the patches not get applied properly??
    Thanks in advance.

     
  • Gerry Kroll

    Gerry Kroll - 2006-01-21

    Logged In: YES
    user_id=1198414

    The version information comes from 'includes/session.php'.

    Since the patches only update a selected portion of your
    existing PhpGedView installation, you wouldn't see a new
    version number.

    I would advise you to download the most recent PhpGedView
    version 3.3.8 distribution file, and update your existing
    installation with this new version.

    To do the update, you extract the entire set of files and
    directories from the version 3.3.8 distribution file, and
    then replace everything within the PhpGedView installation
    directory on your server, except for the following:

    file config.php
    directory index
    directory media

    By keeping these three items, you're replacing all of
    PhpGedView while retaining the existing configuration and
    data files.

     
  • arlomaple76

    arlomaple76 - 2006-01-22

    Logged In: YES
    user_id=1432705

    I upgraded to the full version of 3.3.8 as you suggested.
    Everthing seems to be working OK, and I get an indication
    I'm running 3.3.8 on the mouseover of the PHPGedView logo.
    Thanks

     
  • John Finlay

    John Finlay - 2006-07-11

    Logged In: YES
    user_id=300048

    This patch has been merged into the code and was included in the
    lastest final version release.

    Please download the newest release.

    Thanks

     
  • John Finlay

    John Finlay - 2006-07-11
    • status: open --> closed-fixed
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.