News:

SMF 2.1.6 has been released! Take it for a spin! Read more.

Main Menu

Method for HACK SMF? ADMIN please fix this bug if is real

Started by edi67, January 26, 2008, 05:19:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

edi67

January 26, 2008, 05:19:51 AM
Browsing one forum i found this message:

Code Select
Congrat for the new plugin, but I found this exploit on the wild (SMF exploit every version).

Just so you know..
Quote:
SMF forum ALL versions exploit

1) Get a PHP Shell (like c99shell)

2) RENAME it in c99.php.zip (DON'T PUT THE SHELL IN THE ARCHIVE BUT RENAME IT)

3) Now upload the renamed c99 like an attachment on the victim's SMF forum

4) Default admin is disabled the "encrypt filenames" option, so :

You can found the shell here:

[target]/[path]/attachments/c99.php.zip

5) You owned the website already
Just for the head up and keep up a good work

Well if this is one real HACK action , Admins please fix the problem of security.

Thx
CrazyZone - My SMF Forum


From the difficult the hardening of the man you can see

karlbenson

#1
January 26, 2008, 07:45:22 AM
This was posted on a forum back in early 2007
http://www.vivvo.net/forums/showthread.php?t=2020

I tested it for good measure.  Doesn't work now (or if it ever did)
As far as I'm aware it wouldn't execute anyway because it doesn't have the .php extension.

Kindred

#2
January 26, 2008, 08:32:13 AM
As Karl Benson has said...

in addition, although the "encrypt filenames" might be disabled by default, it is your repsonsibility, as webstite administrator to check your own security. If you are concerned, enable "encrypt filenames".

and, you can disable the ability to upload .zip files as attachements...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

karlbenson

#3
January 26, 2008, 08:46:10 AM
and also you can move attachments out of a public area, so they can't access it directly.

winrules

#4
January 27, 2008, 12:08:54 PM
For this to work the admin had to disable attachment file name encryption (contrary to the report it is enabled by default), and the server has to have a very strange configuration that sends zip files through the php parser.


winrules
SMF Developer
               
My Mods
Please do not PM me for support.

Grudge

#5
January 27, 2008, 04:30:37 PM
Indeed, this can only happen on a incorrectly configured server. There is no way whatsoever that ANY server configuration should parse every file as PHP - and it's never set up like that by default.

By the same token you could say that if the admin disables file name encryption and then allows users to upload PHP files that's an exploit - but clearly it's not - it's simply very, very poor management (And something we warn about!)
I'm only a half geek really...
Print
Go Up Pages1
User actions
Advertisement: