Hej!
Our installation and our plugins are all up to date.
The problem is the haybase-plugin which we installed to use the blue
Dutch WLM skin. It contains a file called timthumb.php with the
following code:
// external domains that are allowed to be displayed on your website
$allowedSites = array (
'flickr.com',
'picasa.com',
'blogger.com',
'wordpress.com',
'img.youtube.com',
'upload.wikimedia.org',
);
[...]
foreach ($allowedSites as $site) {
if (strpos (strtolower ($url_info['host']), $site) !== false) {
$isAllowedSite = true;
}
}
And the check there is stupid. It just checks if an external url
contains flickr.com, not if the url is actually flickr.com. Using
this, manipulated gif images were downloaded from
http://flickr.com.aseana.com.my/xc0de.php and ended up in the cache
folder for scaled images where it later was executed as php files.
It seems only the index.php was replaced and another text file was added.
As we switched to Elyas red skin last weekend I just removed the old
WMNL skin and the haybase plugin.
Regards, Holger
--
Styrelseledamot, kassör
Wikimedia Sverige
Box 500
SE-101 29 Stockholm
Org.-nr. 802437-8310
http://www.wikimedia.se/
>> From: [email protected]
>> Date: Thu, 23 Aug 2012 16:32:22 +0200
>> To: [email protected]
>> Subject: Re: [Wiki Loves Monuments] Swedish WLM site is hacked....
>>
>> Hi Jan,
>> I see you've taken the website offline already -- please let us know
>> what happened so we could see if the other WLM sites are not in danger
>> of being "own3d".
>>
>> Thanks
>> --
>> Tomasz W. Kozłowski
>> a.k.a. [[user:odder]]
>>
>> _______________________________________________
>> Wiki Loves Monuments mailing list
>> [email protected]
>> https://lists.wikimedia.org/mailman/listinfo/wikilovesmonuments
>> http://www.wikilovesmonuments.org
_______________________________________________
Wiki Loves Monuments mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikilovesmonuments
http://www.wikilovesmonuments.org
