webEdition - Forum

Das Forum für die webEdition-Community
https://forum.webedition.org/

WebEdition can be hacked!

https://forum.webedition.org/viewtopic.php?t=13451

Seite 1 von 1

WebEdition can be hacked!

Verfasst: Mi 27. Mai 2009, 11:28
von ikbenivo
One of my webEdition installations was hacked. After some googling ;) if found out about a bug that makes it possible to include pages and hack the system.
Check
http://www.securityfocus.com/bid/34323
and in detail:
http://exp.syue.com/exploits/8328

Or read this:
******* Salvatore "drosophila" Fresta *******

[+] Application: webEdition
[+] Version: <= 6.0.0.4
[+] Website: http://www.webedition.de

[+] Bugs: [A] Local File Inclusion

[+] Exploitation: Remote
[+] Date: 31 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Local File Inclusion

[-] Requisites: register_globals = on

This bug allows a guest to include local files.
This tecnique can be used to exec remote commands
on the vulnerable system using Apache logs.

...

include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");

...


*************************************************

[+] Code


- [A] Local File Inclusion

http://www.site.com/path/index.php?WE_L ... /passwd%00

# milw0rm.com [2009-03-31]
Is there a fix for this!??

Re: WebEdition can be hacked!

Verfasst: Mi 27. Mai 2009, 13:06
von we:willRockYou
Thanks ikbenivo for pointing this out. I checked some systems and I can confirm this bug. 3 of our projects are vulnerable for this injection.

Only system with webEdition 5 and 6 are affected. Versions prior WE5 seem to be safe.

Best fix: Turn register_globals off, since it's useless and dangerous anyway.

Re: WebEdition can be hacked!

Verfasst: Mi 27. Mai 2009, 14:24
von ikbenivo
register_globals are (where) off....

Re: WebEdition can be hacked!

Verfasst: Mi 27. Mai 2009, 14:32
von we:willRockYou
In that case this ain't no problem for you at all. If you really have been hacked with register_globals=Off there is something else you have to look for.

As well, this bug will let you inject local files only. So, to really hack your system, there has to be another issue to acces remote files or upload some code.

Re: WebEdition can be hacked!

Verfasst: Mi 27. Mai 2009, 15:20
von ikbenivo
In my case, the login page couldn't be loaded (parse error) and one of the pages made in webEdition was changed. (it contained an Iframe - I never use Iframes)

Re: WebEdition can be hacked!

Verfasst: Fr 3. Jul 2009, 16:32
von Alexander Lindenstruth
Sorry for the (really long) delay ... I'm not longer working for Living-e but I (at least try to) stay an active member of the webEdition community. Didn't worked quite well for the last two months ... ;-)

this exploit only seems to work if ...

Code: Alles auswählen

register_globals = On
magic_quotes_gpc = Off
and especially the first one is not really according to the recommendations of the PHP team ...
But I'll look over it to fix this, obviously there are still enough servers online with register_globals turned on
Alle Zeiten sind UTC+02:00
Seite 1 von 1

Powered by phpBB® Forum Software © phpBB Limited

Deutsche Übersetzung durch phpBB.de