Recently, phpBB 3.0.7 was released by phpbb.com. They discovered a new security vulnerability in phpBB 3.0.7 version which was not noticed during testing. Following is the original announcement:

——————————————————————
We are sorry to announce the immediate release of phpBB 3.0.7-PL1 to address a security issue which was introduced in 3.0.7, unfortunately the issue wasn’t noticed during testing and has only surfaced a week
after the release of 3.0.7.

We promised working feeds for phpBB 3.0.7. Sadly, we were not able to deliver on that promise – a critical bug in the permission handling for feeds slipped past. To all people who already have updated to 3.0.7, it
is of critical importance to update to 3.0.7-PL1. Otherwise, it is possible for users to bypass permission settings under the following circumstances:

- Feeds are enabled
- Any of the posts or topics feeds are enabled
- The unauthorised user – or one of the groups they are a member of – has forum permissions set on a private forum
- If you have excluded a forum from the list of forums that provide feeds, it is unaffected

The fix for the issue is a single line change inside of feed.php, line 525 has changed from:

$forum_ids = array_keys($auth->acl_getf('f_read'));

to:

$forum_ids = array_keys($auth->acl_getf('f_read', true));

There were no other changes, in particular neither style nor language changes.

——————————————————————
If you are using phpBB 3.0.7 it is strongly recommend to upgrade it immediately to to phpBB 3.0.7-PL1 version.

Affordable PHPbb Hosting

No related posts.

Recently I faced problem with one of the websites in which there were many links added automatically in the index page. The FTP password was reset many times but it didn’t fix the problem. Even there was no logs for FTP access for this website.

After checking all the files/folders of this website, I found some suspicious files in one folder. There was a PHP script along with other files which was adding the spam links in the homepage. The script was simply called by attacker and they were passing some text file as a query string.

This is not an attack on the website but it seems they were adding the links just to populate their keywords in the search engine. I was not sure from where these malicious files were uploaded but after removing these files, I have not faced the problem again.

Just for the information, the link code was started using tag.

Related posts:

1. Getting Website traffic
2. Increase link popularity in Google
3. Reported Attack Site by Google

ModSecurity is an open source web application firewall. This helps to prevent attacks on websites, SQL injection, command execution via browser etc. However, this may break some application installed in your website. With ModSecurity2, you can not bypass any rule by ID from your .htaccess file.

If your web hosting provider has enabled mod_security with Apache, you may face some problem to post topic, upload images, insert images in the post etc. Since ModSecurity2 does not allow to bypass rules by ID via .htaccess, you will have to contact your web hosting provider to bypass some rules for your website. ModSecurity provides facility to bypass rules based on the location. You will require to create global whitelist configuration file to bypass certain rules based on the location.

Recently, I faced problem to upload and insert images in the post. After reading some websites, I found some global rules which I bypassed some ModSecurity rules using global whitelist configuration file which fixed my problem. The rules that I bypassed are as follow (I have put space before LocationMatch and /LocationMatch. Remove that space in your configuration file):


< LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/page.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/options.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-admin/theme-editor.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

< LocationMatch “/wp-includes/”>
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
< /LocationMatch>

Hope this will help others who are facing the similar problem in their Wordpress blog with mod_security.

Kailash Aghera

No related posts.

You might have seen many web sites marked as “Reported Attack Site!” by Google with following message:

“This web site at XXXXX.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.”

Now a day, such type of attacks on the web sites are common. There are few reasons in which Google marks the web site as harmful site. Some of them are as follow:

[1] If your web site pages are infected with malicious IFrame or JavaScript code. Generally, such Iframe and JavaScript codes link your web site to another maleware site.

[2] Your site is hosting phishing page.

There are many reasons for JavaScript and Iframe code injection in your web sites.

[1] If you have installed updated version of third party scripts, template, theme etc.

[2] The third party scripts which you are using in your web site are not secure.

[3] Your FTP password is compromised. You can ask your web hosting provider to check FTP logs for your account.

[4] The system from which you are managing your web site is infected by Maleware, Trojan, Spyware, Virus etc.

[5] Insecure folder permissions set in your web site.

To remove “Reported Attack Site!” tag from your web site at the earliest, you can use Google Webmaster Tools to analyze your web site. Using this tools, you can easily find the infected pages of your web site and then you can resubmit the request to Google.

Hope this will help you!

Related posts:

1. IFrame Hacking – JavaScript Hacking
2. “This site may harm your computer” on every Google search result ??
3. Links are added automatically in the index page of the website – adsttnmq1/sdioyslkjs2 attack

Recently, there were multiple security hyperVM discovered in hyperVM and Lxadmin/Kloxo and they had instructed to upgrade hyperVM/Kloxo systems to the latest version as soon as possible. If you have still not upgraded your HyperVM/Kloxo systems then it’s time to upgrade the system. They have not yet posted the vulnerabilities but according to them they will post within next few days.

To upgrade hyperVM or Kloxo master, Run:

/script/upcp

If you do not upgrade your system then there is a chance that someone can compromise your server and take full control on your server.

Related posts:

1. Alternative for HyperVM and Kloxo/Lxadmin
2. HyperVM comprehensive Virtualization software and VPS solution

Recently, you might have noticed that every Google search results were showing the message “This site may harm your computer”. This was happened on Jan 31, 2009 between 6:30 a.m. PST and 7:25 a.m. PST. This was clearly an error.

According to Google, it was a human error. Google flags search results with the message “This site may harm your computer” if the site has some malicious code on the page. This protects us from visiting such web sites which can harm our computer. Google and StopBadware.org work with together to maintain the list of such web sites and this list is periodically update.

As per Google the error was occurred because of the following reason:
“the URL of ‘/’ was mistakenly checked in as a value to the file and ‘/’ expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.”

In fact it was an error from their and but they worked hard to fix it as soon as possible. Thanks to Google team to fix this in short time.

For more details on this incident, kindly read this article.

Related posts:

1. Reported Attack Site by Google
2. Increase link popularity in Google
3. Microsoft may buy Yahoo search business

Recently Some Defense Department computer networks have been infected with a virus / worm in Pentagon US.

Fox news reported that the virus has continued to spread rapidly through military networks for nearly a week now. Wired.com reports that the virus is a worm named Agent.btz that travels through removable storage devices such as flash drives and cards, DVDs, CDs and floppy discs. Agent.btz is derived from the “SillyFDC” worm and its progeny, which date back to the early 1990s. DOD regulation of employee use of removable storage devices is also unconfirmed, but existing internal emails have substantiated these rumors.

Source: atelier-us.com

Kevin

No related posts.

Now a days, it is not an easy job to develop and secure web site. Each and every day, you will find a new way to attack on the web site, servers or even entire network. Today I will discuss about two types of web site hacking which are most common.

[1] IFrame Hacking
[2] JavaScript Hacking

In both, the hackers add suspicious IFrame or JavaScript code in your web site page. Such code generally links to the malware or badware site.

There are many reasons for such type of hacking.

- Your control panel or FTP password is compromised. If you system is infected with Virus/Trojan/Spyware then there a chance that hacker gets some confidential information from your system and may damage your system. It is a best practice to have Anti Virus installed on the system and also it should be upgraded to its latest version. To fix this security hole, you
can simply reset your password to hard one. Also never set dictionary words as your password.

- The server where your site is compromised.

- XSS (Cross Site Scripting) vulnerability in your site. If your site has XSS vulnerability then there is a high risk for such type of hacking.

- SQL injection. If your site is not designed to prevent SQL injection then hacker can easily get the access your database and insert suspicious code.

There are many other reasons then as mentioned above. You should test your web in all aspects before putting it on live.

Kevin

Related posts:

1. Reported Attack Site by Google
2. Pentagon computers infected by agent.btz Virus / Worm
3. Links are added automatically in the index page of the website – adsttnmq1/sdioyslkjs2 attack