Re: Critical Security Measure

Hmmmm... first they provide a service with clearly questionable security settings, then they don’t understand how web servers work and what http-header responses mean. Of course the page returns something (200) because it’s outputting an internal error notice. You can probably surmise what my recommendation is...

I wouldn’t be to quick to condem them simply because register_globals is on by default. As they point out, too many applications break when set to off. Also as they rightly point out, it is possible to create scripts that are secure with register_globals set to on, just as it is possible to create insecure scripts even when register_globals is set to off. They have provided me with a local php.ini file and there is no limits placed on what we can do with .htaccess. This is a lot more than many hosts will allow.

However, the have shown me "evidence" of the site being exploited 3 days after I installed 0.9.2.2:

Webserver’s crontab:
<path.to.users.base.directory>/assets/images/lazo/y2kupdate >/dev/null 2>&1

Yep, there in the /assets/images/ directory I found 2 directories that shouldn’t have been there. One named "lazo" and the other named ".zbot". In my haste to restore the site as quickly as possible I did not delete the images directory as it contains a lot of files and directories, and with my current ISP, ftp is flakey at the best of times. The images and templates directories were the only things I retained after the hack and it was stupid of me not to check them more carefully.

They are still labouring under the impression that base_path is the cause of the problem. I have asked them to show me evidence that base_path is used in any script. We’ll see what they can find

So, before you installed 0.9.2.2 someone exploited your site.
Then you uploaded 0.9.2.2 but didn’t clear out the folder to which exploits were uploaded.
Then someone uploaded some files, using the exploit that was still there.
Then your ISP blocked the fixed file.

To me, the question is whether the dodgy script has been deleted or not. If something could still make changes 3 days after you uploaded .2.2, and is not dependent on the file that they’ve blocked, then it may still be there.

Quote from: PaulGregory at Nov 20, 2006, 07:08 PM

. . . then it may still be there.

That’s precisely what I was thinking. After my exploit (globals ON, SQL injection,) I locked the site down with directory permissions and trashed the DB (since I was only testing ModX) and then went poking around and found random files that had been uploaded in unsuspecting places /images, etc.

They were still there. One of the dodgy scripts turns out to be psyBNC, the other, I’m not sure. They are both now gone.

However, we’re are still seeing a constant barrage of attempts to exploit Thumbnail.php. It looks like my host saw one successful exploit, saw the constant stream of hacking attempts at Thumbnail.php, and jumped to the wrong conclusion - that two were linked.

So we are still at an impass. Although I’m learning heaps, and fast

The scripts were in a hidden directory in /assets/images/. I’ve now removed write permission to /assets/images/ as all images are kept in subdirectories under that. Is there any direcory (apart from the cache) that can’t be locked down for normal day-to-day running of the site?

I must be dumb because I am totally confused on this matter.
In the top of the thumbnail.php I have to place:
if(!isset($_SESSION[’mgrValidated’])) {
die("<b>INCLUDE_ORDERING_ERROR</b>

Please use the MODx Content Manager instead of accessing this file directly.");
}
I gather this can go anywhere in the file after the <?php

Why is it crossed out?

Is this no longer required?

My site has Register_Globals on - there nothing I can do about that!

I only downloaded ModX 2 days ago - so is it fixed in the current download or still needs to be done!

Quote from: ProgramIT at Nov 28, 2006, 04:16 AM

Why is it crossed out?

Is this no longer required?

My site has Register_Globals on - there nothing I can do about that!

I only downloaded ModX 2 days ago - so is it fixed in the current download or still needs to be done!

If you downloaded MODx 0.9.2.2 then you have the appropriate security patches applied already. The vulnerability only affected sites with version 0.9.2.1 or before. Sorry for any confusion, but the temporary fix that is crossed out was superceded by the 0.9.2.2 security release and patch.

Thanks for the quick reply. I hoped it was okay, but with so many people having attacks I was concerned.
One of the problems I had previously was an attack through the Joomla CMS that messed things up for awhile so I’m a little concerned, especially with a new CMS. (Still setting things up!)
Again many thanks for the confirmation.
PS Great System, I’m learning by the minute!

also make shure to check hidden folders (ls -al) those are often used by hackers.
like in .thumbs folder that was used before by the resource browser