NEOCROME
Date: 24-11-2006 10:04 Version: ... Engine: all Author: Submitted by: Olivier C.
Comments:   Ratings:   Report to a moderator

Description

A security breach was reported on 21th november 2006, about a potential SQL injection in all Seditio and LDU versions. A flaw in the code for the default avatar selection, coupled with a weirdness from a PHP function, allows an attacker to arbitrarily run a SQL query and change the password of the administrator and thus gain control of the whole site. For further reference, this issue is named "Avatar select hack".

How to fix Seditio (all versions)

If you can roll back to a backup :
  1. Restore the backup (SQL+files) with your account manager or ask the host's technical support.
  2. Download the Seditio package for your version : 110, 102, 101 or 100.
  3. Upload the new file /system/core/users/users.profile.inc.php to your webspace, only this one.
  4. It's done.
If you don't have a backup :
  1. You should consider having a host with backups, or making backups yourself.
  2. Rename datas/config.php to anything else to be sure your site is really off.
  3. Make a SQL backup with phpmyadmin.
  4. Download the Seditio package for your version : 110, 102, 101 or 100.
  5. Upload the new file /system/core/users/users.profile.inc.php to your webspace, only this one.
  6. With phpmyadmin, search function, look for the strings : "hack", "java", "refresh" and "meta" (without the quotes).
    If you find anything suspicious, manually remove or clean, still with phpmyadmin.
  7. Then use this form to MD5 a string and set yourself a new pass, directly in the SQL, table sed_users, column user_password, your account (should be the first). As sample put the string "test" in the top box, press "Calculate hash", and copy/paste the resulting 32 chars string "d8e8fca2..." into the column user_password for your account.
  8. Do the same for all your members with administration rights.
  9. Still in the table sed_users, delete any recent user where user_maingrp=5 (not your own account of course).
  10. Disable Javascript in your browser.
  11. Rename datas/config.php back to put the site online.
  12. Log-in, disable the user registration from the config panel.
  13. In the userlist look at the last members if any managed to join an admin group by using your account.
    If yes, delete the user.
  14. Make another SQL backup with phpmyadmin.
  15. Enable the user registration.
  16. Notice how it's noticably longer when you don't have backups.
  17. It should be done.

How to fix Land Down Under (all versions)

If you can roll back to a backup :
  1. Restore the backup (SQL+files) with your account manager or ask the host's technical support.
  2. Open the file /system/core/profile/profile.inc.php, find the string $avatar = $cfg['av_dir'].urldecode($id); and right below, add :
     
    $avatar = str_replace("'","",$avatar);
    $avatar = str_replace(",","",$avatar);
    $avatar = str_replace(chr(0x00),"",$avatar);
     
    Be sure to copy/paste, else it's easy to make typos.
    Save the file, and upload to your webspace.
  3. It's done.
If you don't have a backup :
  1. You should consider having a host with backups, or making backups yourself.
  2. Rename datas/config.php to anything else to be sure your site is really off.
  3. Make a SQL backup with phpmyadmin.
  4. Open the file /system/core/profile/profile.inc.php, find the string $avatar = $cfg['av_dir'].urldecode($id); and right below, add :
     
    $avatar = str_replace("'","",$avatar);
    $avatar = str_replace(",","",$avatar);
    $avatar = str_replace(chr(0x00),"",$avatar);
     
    Be sure to copy/paste, else it's easy to make typos.
    Save the file, and upload to your webspace.
  5. With phpmyadmin, search function, look for the strings : "hack", "java", "refresh" and "meta" (without the quotes).
    If you find anything suspicious, manually remove or clean, still with phpmyadmin.
  6. Then use this form to MD5 a string and set yourself a new pass, directly in the SQL, table ldu_users, column user_password, your account (should be the first). As sample put the string "test" in the top box, press "Calculate hash", and copy/paste the resulting 32 chars string "d8e8fca2..." into the column user_password for your account.
  7. Do the same for all your members with administration rights.
  8. Still in the table ldu_users, delete any recent user where user_level is higher than 95 (not your own account of course).
  9. Run those queries with phpmyadmin, tab 'SQL' :
    UPDATE ldu_config SET config_value=0 WHERE config_name='maintenance';
    UPDATE ldu_config SET config_value='Upgrading' WHERE config_name='maintenance_reason';
  11. Disable Javascript in your browser.
  12. Rename datas/config.php back to put the site online.
  13. Log-in, disable the user registration from the config panel.
  14. In the userlist look at the last members if any managed to join an admin group by using your account.
    If yes, delete the user.
  15. Make another SQL backup with phpmyadmin.
  16. Enable the user registration.
  17. Notice how it's noticably longer when you don't have backups.
  18. It should be done.

Hints and comments

  1. Don't bother trying to ban IPs, those people have way to much free time and they can use proxies.
  2. For Seditio, never put the migthy $cfg['allowphp_override'] = TRUE; in the config file if you don't REALLY need it.
  3. To avoid such wide spreads in the future, it is not required anymore to put you websites in your profile here at Neocrome.net