RFI Vulnerability in PhocaDownload!

[simbus82]

http://forum.joomla.it/index.php?topic=118057.0

http://securityreason.com/wlb_show/WLB-2010110041

How we have to resolve???

Cuase that i had my some if my sites hacked in date 9 november!

[Clarky]

This is a pretty big deal. If you're not running a URL masker (sh404sef etc) and or a security product (rs firewall etc) you're at serious risk of getting hacked.

Can we get a comment from a developer to acknowledge the issue at least? Here's hoping a future release address the problem soon. I'll happily donate once this problem is addressed.

Cheers,

Clarky

[Jan]

Hi, Phoca Download does not work with the variable: mosConfig
_absolute_path

Mostly Joomla! itself doesn't allow to access directly the file.

Exactly:
phocadownload.php is protected by:
defined( '_JEXEC' ) or die( 'Restricted access' );

so you get "Restricted access", nothing more.

simbus82
If your site was hacked, it was not through the Phoca Download.

Clarky

This is a pretty big deal. If you're not running a URL masker (sh404sef etc) and or a security product (rs firewall etc) you're at serious risk of getting hacked.

???

Can we get a comment from a developer to acknowledge the issue at least? Here's hoping a future release address the problem soon. I'll happily donate once this problem is addressed.

There is nothing to solve now, you can happily donate

Anyway: Security is very important for Phoca extensions, this is why a lot of frontend cool features was not implemented to Phoca exteions.

The issue is under review like all potentional or absurd security issues. Thank you for letting me know this information.

Jan

[Clarky]

Thanks for the update. I was referring to SH404 being used to prevent 'vulnerable' urls from being found via a simple google search and a joomla security solution to prevent the RFI 'attack'. I was only going off what I saw posted on a hacking forum, I'm not that close to php security.

Donation made. Keep up the great work.

[Jan]

Great, thank you very much.

Jan

[simbus82]

simbus82
If your site was hacked, it was not through the Phoca Download.
Jan

Are you sure? I have seek throug all my joomla file.

All index.html are "modified" with a script.

Who write this script in my index.html?

I have found the code in /domains/studioagm.eu/public_html/components/com_phocadownload/models/user.php

Code: Select all

// Modified by Jan, only the current part of the file (not whole file) displayed here:
					
if (!JFile::exists($filepathUserFolder . DS ."index.html")) {
						@JFile::write($filepathUserFolder . DS ."index.html", "<html>\n<body bgcolor=\"#FFFFFF\">\n
Vulnerability javascript code was modified here in this place
</body>\n</html>");

Probably my hosting is no so secure, but the flaw is in this file.

The malicius code

Code: Select all

Modified by Jan ... included vulnerability javascript code

[Jan]

Hi, yes, seems like your server is not safe enough.

The php file on your server was modified (maybe someone has your ftp logins, maybe your php files can be overwritten by internet scripts - not secure permissions or ownership)

In this case, somebody (human or robot) modified a Phoca Download PHP file but it could be modified other php file on your server. This is wrong. The php file cannot be overwritten on the server.

You can find this code: JFile::write in your Joomla! installation, this is a standard method to write a file in Joomla!

so if somebody has modified the code in JFile::write() method, the same way he/it can add the JFile::write() in your php files... So you need to secure them and be sure, your ftp password is protect and nobody know it.

If the php on your server is modified, this is not a vulnerability of a component not of a Joomla! itself.

BTW: I have removed the vulnerability code from your post (because of security reason) but leaved the part of the file where this code was added.

Check your server, seems like human or robot can modify your php files, not he/she/it added the code the JFile::write method, but other script can do worse things (like modify sql queries, etc.)

Jan