Hi guys!
My site was hacked through, as I think, vulnerabilites of CKForms 1.3.2.
Tonight I was trying to access my site and instead of it's content I saw a screen of some exploit (see attachment). When I had connected by FTP client there was only 3 files:
htaccess
error_log
index.php
the time of creation of index.php and error_log was different and newer than old date of htaccess.
The content of error_log was:
[23-Apr-2010 09:15:57] PHP Fatal error: Class 'CkformsController../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/u57322ru/public_html/pslon.ru/components/com_ckforms/ckforms.php on line 24
And this date and time was the same as the time of creation index.php.
The content of index.php is in attacment (too big to post).
I was "very happy" and restored all the content of site from backup. After that, in about 30 minutes I was hacked again with the same result.
I do not ask for support of any kind becouse I didn't buy CKForms but I guess this could be essential for users of any kind.
Best regards,
Yuri
- Easy to install
- Easy to create
- Easy to configure
- Easy to use
- EN
Hack
14 posts • Page 1 of 2 • 1, 2
Hack
by yuri » Fri Apr 23, 2010 7:20 am
- Attachments
-
hack-results.zip- (30.14 KiB) Downloaded 96 times
- yuri
- Posts: 3
- Joined: Fri Apr 23, 2010 6:57 am
Re: Hack
by AlanDogg » Fri May 14, 2010 11:19 pm
Hi this security flaw still exists, i have been told by my server host that if i do not remove ck forms component he will shut down my sites that use it. This component has a serious security issues and i have already lost my own wesbite due to this badly written script.
Details from server host below
We can see from looking at the access logs that only a few minutes ago a
hacker tried to exploit the ckforms component.
195.228.152.176 - - [11/May/2010:14:36:07 +0100] "GET
/index.php?option=com_ckforms&view=ckforms&id=2&Itemid=53//index2.php?option
=com_forms&controller=../../../../../../../../../../../../../../../proc/self
/environ%00 HTTP/1.1" 200 677 "-" "libwww-perl/5.813"
You MUST remove this component and its possible threat ASAP or the account
will be terminated.
Im already using the new version 1.3.4
Details from server host below
We can see from looking at the access logs that only a few minutes ago a
hacker tried to exploit the ckforms component.
195.228.152.176 - - [11/May/2010:14:36:07 +0100] "GET
/index.php?option=com_ckforms&view=ckforms&id=2&Itemid=53//index2.php?option
=com_forms&controller=../../../../../../../../../../../../../../../proc/self
/environ%00 HTTP/1.1" 200 677 "-" "libwww-perl/5.813"
You MUST remove this component and its possible threat ASAP or the account
will be terminated.
Im already using the new version 1.3.4
- AlanDogg
- Posts: 3
- Joined: Tue May 11, 2010 7:16 pm
Re: Hack
by artmaster » Sat May 15, 2010 1:24 am
well i tested on my website and i cant understand the hack how works.
No data are showed.
code used:
===[ Exploit ]=== [LFI]
http://site/index.php?option=com_ckforms&controller=[LFI]
===[ Exploit ]=== [sql]
http://site/index.php?option=com_ckform ... tail&fid=2[sql]
any ideas of REAL danger?!?
No data are showed.
code used:
===[ Exploit ]=== [LFI]
http://site/index.php?option=com_ckforms&controller=[LFI]
===[ Exploit ]=== [sql]
http://site/index.php?option=com_ckform ... tail&fid=2[sql]
any ideas of REAL danger?!?
- artmaster
- Posts: 5
- Joined: Sat May 15, 2010 1:22 am
no reply from Admin?
Re: Hack
by yuri » Mon May 24, 2010 5:40 am
I removed CKForms component from my site at all after I was hacked with last version of component. My site was down for about a week and I had to resolve the problems with hosting provider company. It seems the component has many vulnerabilities. Hackers still trying 3-4 times per day to access CKForms with the same expolits through proc/self/environ.
Simple search through Google displays very much similar log parts from different sites.
Simple search through Google displays very much similar log parts from different sites.
- yuri
- Posts: 3
- Joined: Fri Apr 23, 2010 6:57 am
Re: Hack
by witchie » Wed May 26, 2010 11:08 pm
artmaster wrote:same.And no admin reply?!?
Strange...
As I see the admin did not even change the "Current release" version at the home page. Maybe he have some life problems and we must be patient .... He will appear soon, I hope.
Prudence is the mother of wisdom.
- witchie
- Posts: 26
- Joined: Thu Oct 29, 2009 10:18 pm
- Location: Zagreb - Croatia
Re: Hack
by Redshirt » Fri May 28, 2010 12:47 pm
I'd like to see and help (as I want to use ckforms).
Is the FID (sql injection bug) still working?
Check your
components/com_ckforms/models/ckformsdata.php
i.e. around line 232
232 function getDetail()
233 {
234 $fid = JRequest::getVar('fid', '-1');
235 if (is_numeric($fid) == false)
236 {
237 return null;
<-- is $fid properly escaped via is_numeric or do you have other code there?
From what I can see, it should do the trick.
The other thing I am currently looking in - anybody working exploit code?
EDIT:
Problem is this part (was/in) components/com_ckforms/ckforms.php
14 // Require the base controller
15 require_once (JPATH_COMPONENT.DS.'controller.php');
16
17 // Require specific controller if requested
18 if($controller = JRequest::getCmd('controller')) {
19 require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
20 }
21
<--- check if you have this code, it should escape the ../../ tries perfectly.
Is the FID (sql injection bug) still working?
Check your
components/com_ckforms/models/ckformsdata.php
i.e. around line 232
232 function getDetail()
233 {
234 $fid = JRequest::getVar('fid', '-1');
235 if (is_numeric($fid) == false)
236 {
237 return null;
<-- is $fid properly escaped via is_numeric or do you have other code there?
From what I can see, it should do the trick.
The other thing I am currently looking in - anybody working exploit code?
EDIT:
Problem is this part (was/in) components/com_ckforms/ckforms.php
14 // Require the base controller
15 require_once (JPATH_COMPONENT.DS.'controller.php');
16
17 // Require specific controller if requested
18 if($controller = JRequest::getCmd('controller')) {
19 require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
20 }
21
<--- check if you have this code, it should escape the ../../ tries perfectly.
- Redshirt
- Posts: 7
- Joined: Fri May 28, 2010 12:31 pm
14 posts • Page 1 of 2 • 1, 2
Return to CKForms 1.3.x Support forum
Who is online
Users browsing this forum: Google [Bot] and 1 guest