Frank Carius
 
Germany,
13.04.2006, 13:06 |
Sphider 1.3 abuse (with fix) |
I was using Sphider 1.2.x as "Site Search" on my web page www.msxfaq.de (and some others) and this morning, it wa "hacked".
Somebody abuses the "configset.php" to inject his own code.
Detals ? see the WWW Logs at "www.msxfaq.de/sonst/hacked.htm"
Currently i have disabled Sphider and i would sronglay recommend every user to make it more secure.
I'm not a PHP Programmer, so i wait for a never version.
It could be an option to put a .htaccess-File into the ./admin Directory to restrict access with an additional authentication.
Here are some of the requests for debugging
I'm not sure, if 1.3.x is still buggy in that way.
Frank |
Ando
13.04.2006, 14:50
@ Frank Carius
|
Sphider 1.2.x abuse |
Thanks for reporting this. I looked at your logs and you are right. Basically, this was a big and very stupid oversight by me that caused this hole in the script. Namely, configset.php, which is used inside admin.php to set the configuration options, was lacking a security check in front, so if someone malicious would access it directly via typing it in the url, he could set the options via url parameters, bypassing the authentication. I have now fixed this for all the downloadable versions. Basically, to fix it, it suffices to add the line
include "auth.php";
in the beginning of configset.php
|
Frank Carius
Germany,
14.04.2006, 15:23
@ Ando
|
Sphider abuse |
Thanks for that fast reply.
I'll downloaded the current version (i was using 1.3 RC2 but there were not too much modifications.
and iÄll give it a second try. I hope that many users are aware of that bug and will update there copy fast. the attacked downloaded a PHP-Shell, so they have full access to the web server and can read everything.
Frank |
Frank Carius
Germany,
14.04.2006, 15:25
@ Frank Carius
|
Sphider abuse |
Opps once more.
I would like to put a ".htaccess" into the admin directories, which are not required for "search only" users. so an attacker must authenticate against apache first. and cannot attack the php-engines . So maybe thats a enhancement for future versions.
Frank |
Frank Carius
Germany,
14.04.2006, 15:36
@ Frank Carius
|
Sphider abuse |
And to make it more "interesting".
It took me ONE SEARCH in Google using "sphider" and "configset.php" and i found a ready to use Perl script for that exploit.
http://www.milw0rm.com/exploits/1665
So hurry up updating .. |
codepunk
14.04.2006, 17:29
@ Frank Carius
|
Sphider 1.2.x abuse |
» I was using Sphider 1.2.x as "Site Search" on my web page www.msxfaq.de
» (and some others) and this morning, it wa "hacked".
»
» Somebody abuses the "configset.php" to inject his own code.
»
» Detals ? see the WWW Logs at "www.msxfaq.de/sonst/hacked.htm"
»
»
» Currently i have disabled Sphider and i would sronglay recommend every
» user to make it more secure.
» I'm not a PHP Programmer, so i wait for a never version.
» It could be an option to put a .htaccess-File into the ./admin Directory
» to restrict access with an additional authentication.
»
» Here are some of the requests for debugging
»
» I'm not sure, if 1.3.x is still buggy in that way.
»
» Frank
Same here we had a machine get hacked using this very method...
The exploit we encountered used url injection in the fopen command to inject code loaded off of a remote server into the script as it was running. They used it to load a php shell allowing them to navigate and manipulate the file system. We immediately removed the sphider engine to halt the attack. Since we do not load url's anywhere else on the system using fopen I then in php.ini shut off fopen_url this eliminates the vulnerability and system wide at that. I think newer versions of php have fopen_url shut off by default but my older version it was enabled. I doubt that sphider is the only one subject to this exploit as I have probably even coded fopen commands not as securely as I should. Even after disabling fopen_url we still encountered repeated attempts
at exploiting the script. I have a list on the server of banned ip addresses and a cron job continually loads these into ip tables. I further modified the configset.php script to throw the requesting ip address into the ban list if the requestor passed any variable not expected. |
Mario
17.04.2006, 17:15
@ Frank Carius
|
Sphider 1.2.x abuse |
If you are on a private LAN you should add:
<Directory "/var/www/html/sphider/admin">
Order Deny,Allow
Deny from All
Allow from 127.0.0.1 10.0.0.1
</Directory>
to the httpd.conf to grant access to that dir ONLY to certain (local) machines. |
spoonhh
19.04.2006, 10:54
@ Ando
|
Sphider 1.2.x abuse |
» Thanks for reporting this. I looked at your logs and you are right.
» Basically, this was a big and very stupid oversight by me that caused this
» hole in the script. Namely, configset.php, which is used inside admin.php
» to set the configuration options, was lacking a security check in front,
» so if someone malicious would access it directly via typing it in the url,
» he could set the options via url parameters, bypassing the authentication.
» I have now fixed this for all the downloadable versions. Basically, to fix
» it, it suffices to add the line
» include "auth.php";
» in the beginning of configset.php
Perhaps it´s a good idea to place a note and security advice on the homepage. Not everybody with the problem reads the whole forum entries.
Thanks
spoon_hh
|
ComputerBob
21.04.2006, 01:10
@ spoonhh
|
Sphider 1.2.x abuse |
I just downloaded v1.3b, but I don't see the answer to this question anywhere in it.
For those of us who are using v1.3, and who customized it to fit our sites, which of the v1.3b files do we need to replace on our servers in order to be up-to-date with v1.3b's security fixes? This thread appears to indicate that we only need to overwrite configset.php, but I'd like to know for sure.
TIA |
Order