IntegraMOD

Author: **Michaelo** » Sat Aug 26, 2006 3:50 am

To avoid confusion this post has been moved to the Security Forum see link below.

[url=http]Moved to Security Forum[/url]

Author: **ayasha** » Sat Aug 26, 2006 4:52 am

thanks Mike <img>

Author: **Unregistered** » Sat Aug 26, 2006 5:02 am

i believe this fix is for those who ppl who used premoded files..

i have the following code in my functions_portal.php

Code: Select all: if ( !defined('IN_PHPBB') ){ die('Hacking attempt'); exit;}include_once($phpbb_root_path . 'includes/lite.'.$phpEx);

do i stil need to add the fix code?

Author: **ihammo** » Sat Aug 26, 2006 5:40 am

Hi

a few of the other function_xxxxx.php files do not have the 'die hack' code in either. Should they have?

also, was a fix ever announced for the STYLE_URL [url=http]exploit[/url]?

Thanks

Author: **Michaelo** » Sat Aug 26, 2006 7:03 am

Unregistered, I guess everyone should check as it depends on when ppl downloaded their copy as we say in Ireland... to be sure to be sure

As for the STYLE_URL disable the Style Select block in admin until we have investigated this issue.

Mike

Author: **Unregistered** » Sat Aug 26, 2006 7:14 am

hi Michaelo,
what i meant was, wudnt it make it as like a duplication code?

Author: **Michaelo** » Sat Aug 26, 2006 7:23 am

Unregistered, sorry about that <img> your copy of the file is fine no need for edits.
Mike

Author: **Unregistered** » Sat Aug 26, 2006 7:28 am

thanks.. and am glad finally Integramod took the STYLE_URL vulnerability to attention <img>

Author: **Unregistered** » Sat Aug 26, 2006 7:44 am

As we are gettin more attacks, i think its wise to do a mass email and notify about the security patch who aint yet hacked/attacked..

Author: **VillageIdiot** » Sat Aug 26, 2006 8:02 am

As a n00b, I need to ask. Does it matter where in the file I put this fix? First, last, throw a dart? <img>

Author: **ihammo** » Sat Aug 26, 2006 8:49 am

hey Michaelo

thankfully i have already disabled the style select on my site as I dont want people to be able to use it anyway.

I will go through all teh functions and add the die hack code

Cheers

<img>

Author: **evolver** » Sat Aug 26, 2006 8:58 am

"ihammo";p="14125" wrote:thankfully i have already disabled the style select on my site as I dont want people to be able to use it anyway.

I don't think disabling the style select has anything to do with it...
It's in the URL that hackers are able to add code to break in...

Author: **Michaelo** » Sat Aug 26, 2006 9:30 am

True for you evolve <img> hiding it is not the answer I stand corrected... Once it is disabled we will have to comment out the offending code in functions.php and rename the block file...
[align=center:3mza83rm]Code in this post has been update... See first post in this thred[/align]
Part 1:
Edit this file: functions.php
Find the following codeÃƒÆ’Ã‚ ¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Code: Select all: if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) ) { $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] ); if ( $theme = setup_style($style) ) { setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']); return; } } if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) ) { $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']; if ( $theme = setup_style($style) ) { return; } }

Replace withÃƒÆ’Ã‚ ¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Code: Select all: /* if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) ) { $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] ); if ( $theme = setup_style($style) ) { setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']); return; } } if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) ) { $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']; if ( $theme = setup_style($style) ) { return; } }*/

Then (for the moment) rename block_imp_style_select.php to something like block_imp_style_select.xxx

Author: **Solomon** » Sat Aug 26, 2006 10:40 am

I added the code fix for functions_portal.php last night and was hacked again today. I will try the "Edit this file: functions.php" suggestion next.

Author: **Michaelo** » Sat Aug 26, 2006 11:10 am

You could also try this... Find any occurrence of

[align=center:2qmeehks]Code in this post has been update... See first post in this thred[/align]

Code: Select all: if(isset($HTTP_POST_VARS['STYLE_URL']) || isset($HTTP_GET_VARS['STYLE_URL'])) replace with if(isset($HTTP_POST_VARS['STYLE_URL']) || (int) isset($HTTP_GET_VARS['STYLE_URL'])) And $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] ]); with (int) $style = urldecode((isset($HTTP_POST_VARS['STYLE_URL'])) ? $HTTP_POST_VARS['STYLE_URL'] : (int) $HTTP_GET_VARS['STYLE_URL']);

And have you any more details of the hack...?

We have not determined where the hacker is gaining access... <img>
The only vulnerabilities we can identify include Style Select block code (STYLE_URL) and possibly two other relating to some versions of php

Mike

IntegraMOD

IntegraMod Security fix

IntegraMod Security fix

Re: IntegraMod (version 1) Hack fix

Re: IntegraMod (version 1) Hack fix

Re: IntegraMod (version 1) Hack fix

Re: IntegraMod (version 1) Hack fix

Re: IntegraMod (version 1) Hack fix

Re: IntegraMod (version 1) Hack fix

Who is online