| Author |
 Topic  |
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
 Posted - 02 January 2006 : 04:29:03
|
I just received a message from my board that forgot my password....the normal password.asp e-mail.
However, the strange thing is that I indeed can no longer log in anymore using my own password.
The password of my own account HAS been changed. 
I just logged in using my other account, and that one wasn't changed.
With that account I locked my own account MarcelG, so that it can no longer be abused.
I'm diving into the logfiles now, to see what he/she has done exactly, and I see some referalls to pop_upload.asp:
quote:
2006-01-02 07:37:53 W3SVC1539007078 MULE 204.221.145.58 GET /images/icon_smile_emo.gif - 80 - 58.187.56.180 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) ASPSESSIONIDCSSTTQAT=IDCCFIKDBDAAKAMIBIJCHADC;+__utmc=182268921;+__utma=182268921.1919774026.1136186114.1136186114.1136186418.2;+__utmb=182268921;+__utmz=182268921.1136186114.1.1.utmccn=(organic)|utmcsr=google|utmctr=pop_upload.asp|utmcmd=organic;+Snitz00User=Pword=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918&Name=MarcelG http://oxle.com/admin_smiles.asp oxle.com 200 0 0 1265 631 484
He's gotten into the admin_home.asp page, and cleared the searchlog, that's for sure.
AFter that he changed the upload settings, and added .asp to the allowed file types.
He then uploaded a file test.asp to the site.
This file (NTDaddy v1.9 by obzerve of fux0r inc.) was succefully uploaded....
So, I guess we've got a BIG leak here....
POP_UPLOAD.ASP is listed here :
http://www.dircity.com/newspub/html/1-2/342.html
http://www.xfocus.net/articles/200202/342.html
http://www.haiyang.net/safety/book/show.asp?id=217
My japanese/chinese isn't very good, so perhaps someone can translate this? |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 02 January 2006 12:58:59 |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 04:56:26
|
pop_upload.asp is NOT part of Snitz by the way, so your BIG leak is not in Snitz.
and yes, any asp file which allows you to upload files to your website is a potential security hazard.
it looks like they are doing it by spoofing the (Session(strCookieURL & "Approval") <> "15916941253" ) somehow, so probably your best bet is to change that to a more random number |
 |
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 02 January 2006 : 05:03:04
|
HuwR, I know...
I also realise that I'm using a very old version of the upload mod....but - excuse my French - ****, this is a bad start of the year.
I see he/she has registered for a new user, with a non-existing e-mail address.
Then he/she has activated that user.
I just changed the Session(strCookieURL & "Approval") = "" in config.asp.
Is there another place where did should be changed? |
portfolio - linkshrinker - oxle - twitter |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 05:11:44
|
evryewhere it is used (all the admin pages).
quote:
He then uploaded a file test.asp to the site.
In all the upload mods I have seen file types are limited, it is, as you have found out, not a very good idea to allow people to upload asp files to your webspace
|
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 02 January 2006 : 05:18:26
|
Huw, with all due respect ; the hacker changed this value as I described.
The 'funny' thing is that I'm using an old file uploading mod which was made by you...
'# File Attachment Mod by Huw Reddick
boolAllowedType = Instr(strAllowedExtensions, Right(faname,4)) > 0
ImageFile = Instr(".jpg,.gif", Right(faname,4)) > 0
WordDocument = Instr(".doc", Right(faname,4)) > 0
NotePad = Instr(".txt", Right(faname,4)) > 0
if referrer = "patch" then
PatchFile = Instr(".zip", Right(faname,4)) > 0
end if
if referrer = "dbsfiles" then
boolAllowedType = Instr(".asp", Right(faname,4)) > 0
end if
To prevent this for future things, I guess we should prevent .asp (and .php, etc etc) even if it was defined as allowed. |
portfolio - linkshrinker - oxle - twitter |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 05:45:22
|
Ok, that now explains what they are doing, since for referrer to be dbsfiles, they need to spoof your pop_upolad.asp form, so it looks like they are cross site scripting the pop_upload.asp form, so in the uploadengine.asp file you need to check that they have come from your pop_upload.asp
|
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 05:46:34
|
quote:
Originally posted by ruirib
Marcel, did you find out how they first got into your system?
see my reply above, they are cross site scripting the pop_upload form |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 05:51:17
|
| someone should move this to the MOD forums since it is not related to the Snitz code. |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 02 January 2006 : 05:51:20
|
quote:
Originally posted by HuwR
Ok, that now explains what they are doing, since for referrer to be dbsfiles, they need to spoof your pop_upolad.asp form, so it looks like they are cross site scripting the pop_upload.asp form, so in the uploadengine.asp file you need to check that they have come from your pop_upload.asp
Well, they're not that advanced.
They're not using the dbsfiles-referrer, as they actually need to change the upload settings to upload the asp file.
Shall I post my logfile, for further investigation ? |
portfolio - linkshrinker - oxle - twitter |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 05:55:01
|
| post as much of your log as you can, since your problem looks more and more like a bug that was fixed over a year ago which allowed someone to change the admin password |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 02 January 2006 : 05:57:07
|
BTW; I guess this is the hackbook he used:
translated version
quote:
regarding executive program and so on bbs/admin_upload.asp and bbs/admin_uploadengine.asp if does not need to cause
With may delete, if needs to be possible voluntarily to revise. Adds one line before the procedure:
" 15916941253 " best changes to other numerals, for example changes to:
And " 15916941253 " also changes to other executive programs in the same numeral. Attention: admin_login.asp
Center:
Also must change, otherwise is unable to use any executive program.
I downloaded the primitive edition
Snitz Forums 2000 Version 3.1 SR4 and Snitz Forums other editions, certainly has not actually discovered in existence
The surface institute said the security problem, Snitz the Forums own discussion forum (http://forum.snitz.com/forum/ also does not have
These questions. But I tested overseas very use Snitz Forums the discussion forum - include Italy, Germany and so on - actually am
Has these problems, obviously these procedures by no means sinicize the author add on.
|
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 02 January 2006 06:05:57 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 06:06:34
|
well, that makes as much sense as the japanese version :)
|
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 02 January 2006 : 06:15:59
|
Well, I just changed all instances of the "15916941253" thing, and removed all files that have that string in them from the source-viewer page (so that for future referal, the hacker cannot look it up.)
I haven't made any changes to pop_upload.asp and uploadengine.asp yet... |
portfolio - linkshrinker - oxle - twitter |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 02 January 2006 : 06:23:55
|
| remove the part about dbsfiles, not sure why that was added to be honest, it is not in my original file. I would then add some extra checks in uploadengine.asp to make sure it is not being fired from a remote machine, you could also remove script permissions in IIS from any directories that can be uploaded to, that way even if they do upload a script they won't be able to execute it |
|
|
|
Topic |
|
Topic Locked
