phpBB 3.0.7 security vulnerability
Recently, phpBB 3.0.7 was released by phpbb.com. They discovered a new security vulnerability in phpBB 3.0.7 version which was not noticed during testing. Following is the original announcement:
——————————————————————
We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn’t noticed during testing and has only surfaced a week
after the release of 3.0.7.
We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it
is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:
- Feeds are enabled
- Any of the posts or topics feeds are enabled
- The unauthorised user – or one of the groups they are a member of – has forum permissions set on a private forum
- If you have excluded a forum from the list of forums that provide feeds, it is unaffected
The fix for the issue is a single line change inside of feed.php, line 525 has changed from:
$forum_ids = array_keys($auth->acl_getf('f_read'));
to:
$forum_ids = array_keys($auth->acl_getf('f_read', true));
There were no other changes, in particular neither style nor language changes.
——————————————————————
If you are using phpBB 3.0.7 it is strongly recommend to upgrade it immediately to to phpBB 3.0.7-PL1 version.
Links are added automatically in the index page of the website – adsttnmq1/sdioyslkjs2 attack
Recently I faced problem with one of the websites in which there were many links added automatically in the index page. The FTP password was reset many times but it didn’t fix the problem. Even there was no logs for FTP access for this website.
After checking all the files/folders of this website, I found some suspicious files in one folder. There was a PHP script along with other files which was adding the spam links in the homepage. The script was simply called by attacker and they were passing some text file as a query string.
This is not an attack on the website but it seems they were adding the links just to populate their keywords in the search engine. I was not sure from where these malicious files were uploaded but after removing these files, I have not faced the problem again.
Just for the information, the link code was started using
Wordpress and mod_security2 issues
ModSecurity is an open source web application firewall. This helps to prevent attacks on websites, SQL injection, command execution via browser etc. However, this may break some application installed in your website. With ModSecurity2, you can not bypass any rule by ID from your .htaccess file.
If your hosting provider has enabled mod_security with Apache, you may face some problem to post topic, upload images, insert images in the post etc. Since ModSecurity2 does not allow to bypass rules by ID via .htaccess, you will have to contact your hosting provider to bypass some rules for your website. ModSecurity provides facility to bypass rules based on the location. You will require to create global whitelist configuration file to bypass certain rules based on the location.
Recently, I faced problem to upload and insert images in the post. After reading some websites, I found some global rules which I bypassed some ModSecurity rules using global whitelist configuration file which fixed my problem. The rules that I bypassed are as follow (I have put space before LocationMatch and /LocationMatch. Remove that space in your configuration file):
< LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
< LocationMatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
< LocationMatch "/wp-admin/page.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
< LocationMatch "/wp-admin/options.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
< LocationMatch "/wp-admin/theme-editor.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
< LocationMatch "/wp-includes/">
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>
Hope this will help others who are facing the similar problem in their Wordpress blog with mod_security.
Kailash Aghera
Reported Attack Site by Google
You might have seen many web sites marked as “Reported Attack Site!” by Google with following message:
“This web site at XXXXX.com has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.”
Now a day, such type of attacks on the web sites are common. There are few reasons in which Google marks the web site as harmful site. Some of them are as follow:
[1] If your web site pages are infected with malicious IFrame or JavaScript code. Generally, such Iframe and JavaScript codes link your web site to another maleware site.
[2] Your site is hosting phishing page.
There are many reasons for JavaScript and Iframe code injection in your web sites.
[1] If you have installed updated version of third party scripts, template, theme etc.
[2] The tird party scripts which you are using in your web site are not secure.
[3] Your FTP password is compromised.
[4] The system from which you are managing your web site is infected by Maleware, Trojan, Spyware, Virus etc.
[5] Insecure folder permissions set in your web site.
To remove “Reported Attack Site!” tag from your web site at the earliest, you can use Google Webmaster Tools to analyze your web site. Using this tools, you can easily find the infected pages of your web site and then you can resubmit the request to Google.
Hope this will help you! 
Security vulnerabilities found in HyperVM and LXadmin/Kloxo
Recently, there were multiple security hyperVM discovered in hyperVM and Lxadmin/Kloxo and they had instructed to upgrade hyperVM/Kloxo systems to the latest version as soon as possible. If you have still not upgraded your HyperVM/Kloxo systems then it’s time to upgrade the system. They have not yet posted the vulnerabilities but according to them they will post within next few days.
To upgrade hyperVM or Kloxo master, Run:
/script/upcp
If you do not upgrade your system then there is a chance that someone can compromise your server and take full control on your server.
-
Recommended Host
Feedburner
-
