xxx.php.rar exploit question xxx.php.rar exploit question
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

xxx.php.rar exploit question

Started by wmaster, September 25, 2006, 07:12:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

wmaster

I read that 1.4.6 fixes this problem associated with the apache bug which allows the xxx.php.rar exploit.

However, someone recently tried this exploit on one of my websites.
I installed the test.php.rar file to see if my webserver was vulnerable AND IT WAS!  :o
I patched the apache config file.

But my concern is this.  It seems the only reason this hack attempt failed, is because the user upload the rar file as a guest which did not immediately make the file available.  I got an approval email for the file, and thats when I saw the hack attempt.

It seems to me, if the user simply registered, and uploaded the xxx.php.rar file, he/she would have been able to tell what the path to the .rar file was, and executed it.

So how did the 1.4.6 version take care of this apache problem?  Im still not 100% sure my site hasnt been compromised. Im still looking around.  The http access logs dont show anyone actually executing any rar files, but these logs may have been spoofed as well  :'(

I changed the coppermine config to only allow picture extensions to be uploaded now.


Crossing my fingers. Im reviewing the hackers code to look for clues on how to detect him.
If you want a copy of the code, I can email it to someone. Its pretty slick.


Nibbler

That is not a test that tells you anything. The fix that went into Coppermine will prevent a file being allowed a .php.rar extension in the first place.

wmaster

In case you guys are interested, I reviewed the access log, found his IP address and reviewed what he did.

He actually uploaded a file called md99.zip.  Not md99.php.rar, or even md99.php.zip (attempting a similar exploit?)

Since the file upload required my approval, he couldnt immediately locate the file, and spent some time guessing what the URL was by observing the path of other photo's in the gallery.

He also tried clicking on the LAST UPLOADS link to see if that would give him the path.

Not sure why he would upload a file called md99.zip.  Fortunately, zip files are in no way executed on my webserver.

Looks like he finally gave up after he found the location of md99.zip file, and then realized apache simply would only download the file for him.

Hate these guys.  Get a life already!


Again, if you would like to see the hack code, it might be worthwhile, since it may give you ideas as to how these guys are attempting to hack sites.  The hacker code is in php.  I dont want to post the code in public though.


xplicit

Hmm... afaik apache works correct for zip files, so it's not really a similar to the .php.rar exploid.

Check your logfile for his/her ip number and see if he/she tried uploading other codes or tried sql injection, or trying to fill in _get values. I would find it very odd if this was an atempt without trying to use the posibilities of the known rar exploid.

But there are lots of ways people can try to hijack sites, which I ouldn't all mention in case others get ideas ;)

Most interesting is the content try to figure out what the purpose is and on which parts of the site it would be attack. Since hackers are very smart it could be a till now not known form of attempt, if you got the knowledge please check if there is a possibility coppermine is vulnarable to the code in the received zip.

If you like you can send me the code and I will figure out what it does but I would indeed suggest not to publish it on the board

Don't ask me: Can you do this .... or Give me that...or I need Quick help in PM's. I'm not Santaclaus so post your questions on the board so it will be in the benefit for everyone.

Joachim Müller

As explained on the existing threads that deal with the rar exploit and the fixes, the fix we created should take care of all unknown file types by only allowing the last dot in a file name and replacing all previous dots with underscores. This way, a file that is originally named foo.php.zip will be renamed to foo_php.zip. This way, apache won't try to parse it as PHP file and subsequently the file is harmless. I can see no point in this discussion: the reason we make maintenance releases available is that they fix bugs. Running outdated versions is just silly. If you're even aware that there are more recent maintenance releases and still not upgrading equals asking for trouble.
Trying to even bother to track those script kiddies who try to perform the attacks is pointless imo; you're welcome to take actions against them, but we're not interessted in their IP addresses or other similar logging data.
Upgrade! If you don't: feel sorry later. There's no alternative.