phpBB 3.0.7 security vulnerability
Recently, phpBB 3.0.7 was released by phpbb.com. They discovered a new security vulnerability in phpBB 3.0.7 version which was not noticed during testing. Following is the original announcement:
——————————————————————
We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn’t noticed during testing and has only surfaced a week
after the release of 3.0.7.
We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it
is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:
- Feeds are enabled
- Any of the posts or topics feeds are enabled
- The unauthorised user – or one of the groups they are a member of – has forum permissions set on a private forum
- If you have excluded a forum from the list of forums that provide feeds, it is unaffected
The fix for the issue is a single line change inside of feed.php, line 525 has changed from:
$forum_ids = array_keys($auth->acl_getf('f_read'));
to:
$forum_ids = array_keys($auth->acl_getf('f_read', true));
There were no other changes, in particular neither style nor language changes.
——————————————————————
If you are using phpBB 3.0.7 it is strongly recommend to upgrade it immediately to to phpBB 3.0.7-PL1 version.
Links are added automatically in the index page of the website – adsttnmq1/sdioyslkjs2 attack
Recently I faced problem with one of the websites in which there were many links added automatically in the index page. The FTP password was reset many times but it didn’t fix the problem. Even there was no logs for FTP access for this website.
After checking all the files/folders of this website, I found some suspicious files in one folder. There was a PHP script along with other files which was adding the spam links in the homepage. The script was simply called by attacker and they were passing some text file as a query string.
This is not an attack on the website but it seems they were adding the links just to populate their keywords in the search engine. I was not sure from where these malicious files were uploaded but after removing these files, I have not faced the problem again.
Just for the information, the link code was started using ModSecurity is an open source web application firewall. This helps to prevent attacks on websites, SQL injection, command execution via browser etc. However, this may break some application installed in your website. With ModSecurity2, you can not bypass any rule by ID from your .htaccess file. If your WordPress hosting provider has enabled mod_security with Apache, you may face some problem to post topic, upload images, insert images in the post etc. Since ModSecurity2 does not allow to bypass rules by ID via .htaccess, you will have to contact your web hosting provider to bypass some rules for your website. ModSecurity provides facility to bypass rules based on the location. You will require to create global whitelist configuration file to bypass certain rules based on the location. Recently, I faced problem to upload and insert images in the post. After reading some websites, I found some global rules which I bypassed some ModSecurity rules using global whitelist configuration file which fixed my problem. The rules that I bypassed are as follow (I have put space before LocationMatch and /LocationMatch. Remove that space in your configuration file): < LocationMatch “/wp-admin/admin-ajax.php”> < LocationMatch “/wp-admin/page.php”> < LocationMatch “/wp-admin/options.php”> < LocationMatch “/wp-admin/theme-editor.php”> < LocationMatch “/wp-includes/”> Hope this will help others who are facing the similar problem in their WordPress blog with mod_security. Kailash Aghera
You might have seen many web sites marked as “Reported Attack Site!” by Google with following message: “This web site at XXXXX.com has been reported as an attack site and has been blocked based on your security preferences. Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system. Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.” Now a day, such type of attacks on the web sites are common. There are few reasons in which Google marks the web site as harmful site. Some of them are as follow: [1] If your web site pages are infected with malicious IFrame or JavaScript code. Generally, such Iframe and JavaScript codes link your web site to another maleware site. [2] Your site is hosting phishing page. There are many reasons for JavaScript and Iframe code injection in your web sites. [1] If you have installed updated version of third party scripts, template, theme etc. [2] The third party scripts which you are using in your web site are not secure. [3] Your FTP password is compromised. You can ask your web hosting provider to check FTP logs for your account. [4] The system from which you are managing your web site is infected by Maleware, Trojan, Spyware, Virus etc. [5] Insecure folder permissions set in your web site. To remove “Reported Attack Site!” tag from your web site at the earliest, you can use Google Webmaster Tools to analyze your web site. Using this tools, you can easily find the infected pages of your web site and then you can resubmit the request to Google. Hope this will help you! Recently, there were multiple security hyperVM discovered in hyperVM and Lxadmin/Kloxo and they had instructed to upgrade hyperVM/Kloxo systems to the latest version as soon as possible. If you have still not upgraded your HyperVM/Kloxo systems then it’s time to upgrade the system. They have not yet posted the vulnerabilities but according to them they will post within next few days. To upgrade hyperVM or Kloxo master, Run: /script/upcp If you do not upgrade your system then there is a chance that someone can compromise your server and take full control on your server.
Recently, you might have noticed that every Google search results were showing the message “This site may harm your computer”. This was happened on Jan 31, 2009 between 6:30 a.m. PST and 7:25 a.m. PST. This was clearly an error. According to Google, it was a human error. Google flags search results with the message “This site may harm your computer” if the site has some malicious code on the page. This protects us from visiting such web sites which can harm our computer. Google and StopBadware.org work with together to maintain the list of such web sites and this list is periodically update. As per Google the error was occurred because of the following reason: In fact it was an error from their and but they worked hard to fix it as soon as possible. Thanks to Google team to fix this in short time. For more details on this incident, kindly read this article.
Recently Some Defense Department computer networks have been infected with a virus / worm in Pentagon US. Fox news reported that the virus has continued to spread rapidly through military networks for nearly a week now. Wired.com reports that the virus is a worm named Agent.btz that travels through removable storage devices such as flash drives and cards, DVDs, CDs and floppy discs. Agent.btz is derived from the “SillyFDC” worm and its progeny, which date back to the early 1990s. DOD regulation of employee use of removable storage devices is also unconfirmed, but existing internal emails have substantiated these rumors. Source: atelier-us.com Kevin
WordPress and mod_security2 issues
< LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>Reported Attack Site by Google
Security vulnerabilities found in HyperVM and LXadmin/Kloxo
“This site may harm your computer” on every Google search result ??
“the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.”Pentagon computers infected by agent.btz Virus / Worm
-
Recommended Host
-
