WebEdition can be hacked!

Everything related to patches, fixing bugs and contributions in general.
ikbenivo

WebEdition can be hacked!

Beitragvon ikbenivo » Mi 27. Mai 2009, 11:28

One of my webEdition installations was hacked. After some googling ;) if found out about a bug that makes it possible to include pages and hack the system.
Check
http://www.securityfocus.com/bid/34323
and in detail:
http://exp.syue.com/exploits/8328

Or read this:
******* Salvatore "drosophila" Fresta *******

[+] Application: webEdition
[+] Version: <= 6.0.0.4
[+] Website: http://www.webedition.de

[+] Bugs: [A] Local File Inclusion

[+] Exploitation: Remote
[+] Date: 31 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Local File Inclusion

[-] Requisites: register_globals = on

This bug allows a guest to include local files.
This tecnique can be used to exec remote commands
on the vulnerable system using Apache logs.

...

include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");

...


*************************************************

[+] Code


- [A] Local File Inclusion

http://www.site.com/path/index.php?WE_L ... /passwd%00

# milw0rm.com [2009-03-31]
Is there a fix for this!??

we:willRockYou
Senior Member
Beiträge: 919
Registriert: Fr 22. Mai 2009, 21:40
Wohnort: Berlin
Kontaktdaten:

Re: WebEdition can be hacked!

Beitragvon we:willRockYou » Mi 27. Mai 2009, 13:06

Thanks ikbenivo for pointing this out. I checked some systems and I can confirm this bug. 3 of our projects are vulnerable for this injection.

Only system with webEdition 5 and 6 are affected. Versions prior WE5 seem to be safe.

Best fix: Turn register_globals off, since it's useless and dangerous anyway.
EOF; //totally retired

ikbenivo

Re: WebEdition can be hacked!

Beitragvon ikbenivo » Mi 27. Mai 2009, 14:24

register_globals are (where) off....

we:willRockYou
Senior Member
Beiträge: 919
Registriert: Fr 22. Mai 2009, 21:40
Wohnort: Berlin
Kontaktdaten:

Re: WebEdition can be hacked!

Beitragvon we:willRockYou » Mi 27. Mai 2009, 14:32

In that case this ain't no problem for you at all. If you really have been hacked with register_globals=Off there is something else you have to look for.

As well, this bug will let you inject local files only. So, to really hack your system, there has to be another issue to acces remote files or upload some code.
EOF; //totally retired

ikbenivo

Re: WebEdition can be hacked!

Beitragvon ikbenivo » Mi 27. Mai 2009, 15:20

In my case, the login page couldn't be loaded (parse error) and one of the pages made in webEdition was changed. (it contained an Iframe - I never use Iframes)

Alexander Lindenstruth

Re: WebEdition can be hacked!

Beitragvon Alexander Lindenstruth » Fr 3. Jul 2009, 16:32

Sorry for the (really long) delay ... I'm not longer working for Living-e but I (at least try to) stay an active member of the webEdition community. Didn't worked quite well for the last two months ... ;-)

this exploit only seems to work if ...

Code: Alles auswählen

register_globals = On
magic_quotes_gpc = Off
and especially the first one is not really according to the recommendations of the PHP team ...
But I'll look over it to fix this, obviously there are still enough servers online with register_globals turned on


Zurück zu „Patches, Bugs and Contributions“

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 3 Gäste