03Nov2008 (UTC +8) On 11/2/08, Christian Masancay <[EMAIL PROTECTED]> wrote: > Given the circumstances, the risk exposure may be limited only to the > application layer. You can minimize the security risk if you have > strong operating system and network controls.
I believe such general advice begs for a better clarification. By itself, it *may* mislead the PLUG readers, to misunderstanding the risk exposures, which will be then underestimated, and therefore inadequately treated. Care to expound on your thoughts? For you see, one can get really creative and mix SQL with shell commands in MySQL statements (using the prefix "system"). Or, on MS Windows with MS SQL (yes, also with Joomla) systems, it is easy to reconstruct tools like the Metasploit "metsrv.dll" or "nc.exe" using the xp_cmdshell stored proc, which will re-assemble text files using debug.exe --without even uploading (in the traditional sense of the word) anything. Needless to say, it's way more than the ' OR 1=1-- kung-fu because you got the O/S right then and there. But of course, once you obtain even limited access but with privileges that has later been escalated (allowing writes to the filesystem), you use the web application to get you where the money is: databases. Add to the web application more SQL statements that will record names, account numbers and PINs on a temp db, which you can then just get them later at the your convenience. (Yes, you just made the web server itself as a "key logger".) And we're not even doing any XSS yet on the web application server. That's just not theory, but actual exercises done recently. But I digress. To add more to my previous answer to Philip's question: 1. Verify the filesystem and web app's ACL for your htaccess.txt and make sure it doesn't leak out. All you input validation controls on the web application are for nothing if the attacker can easily figure them out. It's a common implementation mistake with this one. 2. Go to http://<site>/index.php?option=com_user&view=reset 3. Enter a valid admin e-mail address. Google around to find out who owns the website, and then who's the admin for it. Don't forget LinkedIn, Friendster, Yahoo Groups or Facebook ;) 4. SQLi the input field where it asks for a verification token, then reset the password of the attacked user, and login. I've simplified it a bit, so as not to make this too easy for the script kiddies out there. Kindly let me know if this works for you too please? > On Sat, Nov 1, 2008 at 8:18 PM, Philip Morales <[EMAIL PROTECTED]> wrote: > > > > I received the following about Joomla Password Remind Functionality - > > Exploit" attack > > > > --------------------------- > > There has been several (successful) hack attempts in the past 48 hours from > > your network: > > below you will find a small overview of the different IP address and the > > timestamps they were used, > > at the end of this message you will find the complete http log file entries > > which proof this is a > > full "[20080801] - Core - Password Remind Functionality - Exploit" attack. > > > > 89.108.36.198 - - [30/Oct/2008:06:02:10 +0100] > > 89.108.31.218 - - [31/Oct/2008:00:37:13 +0100] > > > > Pleas take appropriate actions. > > --------------------------- > > > > Our Linux server was hacked was due to insecure software hosted by one of > > our customers, > > normally this should only affect the website of the customer it self - not > > the entire server - > > but since this has happened in the past days we decided to locked down > > customers websites and > > force the them to update their software for this particular vulnerability. > > > > > http://developer.joomla.org/security/news/35-core-security/241-20080801-core-password-remind-functionality.html > > > > vulnerability exists in all versions prior to 12-08-2008. > > > > Do you know any additional fix I can do? Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
