MyBB Community Forums

Hey,

I can verify that MyBB 1.6.5 has been hacked.
I have a forum where the hacker could freely upload files into the /avatars/ directory. This person started uploading .php files that gave him access to all parts of the server. He can browse the whole server and edit files, and thus was able to edit settings.php where he can easily place

echo "<iframe src=\"malwaresite\"></iframe>";

.

I started deleting those files and now recently he uploaded .gif files with php code in them + he added a .htaccess file where he tells the webserver that .gif files should be handled as php ....
The GIF/PHP file tried to steal passwords from logged in users.

As he is able to browse the server, he can obviously also see the SQL password and thus edit all sorts of stuff on the SQL server... like templates, users, etc..

No usergroup on the forum has the right to upload files to the server other than for the avatars. This hacker was able to upload files into /cache/, /uploads/, /uploads/avatars/ and /uploads/201201/ .

I don't use FBConnect btw. I have a few plugins though which are: Awaiting Activation Message (1.6), Akismet (1.2.1), Auto Media (1.1.9), Spider Bots (1.1), Forum Cleaner (2.5.1), Google Analytics (1.5), Gravatar (0.1), Image Resizer & Optimizer with GD (1.1.1), ProStats (1.8), Registration Security Question (1.2), and Thank You/Like System (1.3.1).

---

I also want to note that to solve the problem (as an emergency measure), I have CHMODDED all configuration back to 755. Even the cache and uploads directory are non-writeable right now. (Except for /uploads/avatars.)
I obviously also keep a close eye on that directory now....

The uploads/avatars dir allows only very specific extensions (jpg, gif, png, bmp) which are normally left alone by the PHP interpreter, so while it's possible to embed PHP code in them, it won't actually be executed. It should not be possible to inject PHP code using avatars unless your webserver is not properly configured (in which case the security issue is with your webserver and not mybb itself).

Quote:I started deleting those files

Files and access log may be interesting / necessary to figure out how the hacker gained access to your system in the first place; also the URL of your site may be interesting so we could check for obvious errors (such as a badly configured webserver). Either way you have to provide a lot more info (preferably a proof of concept) that demonstrates the security issue, otherwise it's just fruitless poking around in the dark...

Hey,

I understand that you guys want more info. I obviously do too, as I don't want these hackers on my server :-p.
This hacker is pretty darn advanced. He managed to upload a file called .htaccess into the /uploads/avatars/ directory, with the following code:

AddType x-httpd-php .php .htm .htm .gif

He then continued to upload a file called 1.gif (which I deleted ) but that basically tries to grab the username/password from an active session and save it into passlog.txt (same directory). After that it would load up a smiley that he also uploaded to that directory (s1.gif), this way if you went with your URL to /uploads/avatars/1.gif , it would show you the smiley but in the backend it would (in theory) save the password to a .txt file.
I say "in theory", because I don't have Apache as my webserver, so .htaccess files don't work on my server, so he couldn't get the .gif to run I think.

Now, the passlog.txt file was empty, so I assume that he didn't get any passwords out of it. I did see in the past that he uploaded other .php files into the avatars directory. 1 was a compact phpmyadmin php file that basically allowed him to take webbased control of the whole SQL database and another one was a php file that gave him control of the whole server. It allowed the person to browse around on the server and edit any file that is CHMOD 666.

Any staff that wants to know more info, see private enquiries.

I unfortunately don't have any logs. I can't tell how he is uploading files into that directory. I suspect that something must be wrong with the upload rights. (I also have currently no staff with mod/admin cp rights)

(2012-01-30, 06:23 PM)Renox Wrote: [ -> ]I say "in theory", because I don't have Apache as my webserver, so .htaccess files don't work on my server, so he couldn't get the .gif to run I think.

If you're using nginx or lighttpd, there are unfortunately several tutorials/howtos around that give you a broken/insecure PHP setup. In particular the web server has to check whether a file ends with .php and actually exists before handing off the request to PHP.

Otherwise it becomes possible to execute arbitrary PHP code in avatars by going to

http://yoursite/somefile.jpg/foobar.php

and the webserver will actually call the PHP interpreter on somefile.jpg/foobar.php and PHP is stupid enough to execute code in somefile.jpg then, ignoring the nonexistant /foobar.php path.

Then you have an arbitrary code execution security hole on your site, but the responsible party is your webserver / PHP, not MyBB.

Try adding /foobar.php to one of your image files on your webserver, it should raise a 404 error. if it shows the image instead you're probably screwed...

Hi.

I actually doubt that I have an insecure setup. I run the latest PHP/nginx/sql etc... And have some very large (alexa top 1000) sites on my servers (so that makes me a good candidate for hacks )

I tried the yoursite/somefile.jpg/foobar.php. Somefile.jpg obviously had PHP code in it and nginx threw a white page with the text "Access denied." (HTTP Headers: Status: HTTP/1.1 403 Forbidden) So I think it did well
I also tried a real image as somefile.jpg and a real php file as foobar.php. This ALSO threw the 403 error.

Anyway, I think we are missing the point here. How can this person upload files (like .htaccess, php files, image files, etc) to begin with?

(2012-01-30, 11:48 PM)Renox Wrote: [ -> ]I run the latest PHP/nginx/sql etc...

It's not a question of the version you're running - the question is how it's configured.

Some more background information in the nginx wiki: http://wiki.nginx.org/Pitfalls#Passing_U...sts_to_PHP

(2012-01-30, 11:48 PM)Renox Wrote: [ -> ]How can this person upload files (like .htaccess, php files, image files, etc) to begin with?

Once he's got a PHP backdoor in place everything's easy - make sure to get rid of all of them, there's like a thousand places to hide them in various files and inside the MyBB DB itself (templates are eval()'d). Question is how did he manage to do that in the first place, and that question only you can answer...

I think we established that my webserver isn't passing uncontrolled requests to PHP.
I said that in this post. But let's forget all of that. I think it's more interesting to go back to the root of the problem:
This hacker was able to upload files into my /uploads/avatars/ directory which is chmod 777.
So call me crazy, but that leads me to believe there must be something exploitable in the myBB script that allows him to upload any file to that directory.

-> The Private Inquiries forum has some additional information about this 'case'.

PS: I did look at the nginx config common pitfalls out of interest, but luckily for me my config was fine on all points.

if you have any of the rogue images, can you zip it up and email it to me? If so, PM me and I will provide my email.

I have been trying PHP injection in images and trying to upload them as avatars since reading your post, but MyBB is catching them and/or my server is not executing them. If I can check the images it give more info.

Nginx is very easy to misconfigure for php execution. Your exploit is almost definitely NOT MyBB and is much more likely to be your web server, a service (ftp), or another script your running.

Quote:And have some very large (alexa top 1000) sites on my servers (so that makes me a good candidate for hacks

Any Alexa 1k site should have it's own dedicated server or even multiple servers. I'm Alexa 3k and I need 3 servers to run my site. And an Alexa 1k site should be making thousands or even tens of thousands per month. Should be enough income to pay someone competent to run the servers.

I don't recommend nginx for running php. If anything do a reverse proxy with nginx in front and apache behind it. You then get the best of both worlds.

(2012-01-31, 02:56 AM)Renox Wrote: [ -> ]I think we established that my webserver isn't passing uncontrolled requests to PHP.

We'll have to take your word of it, especially since your site url seems to be a big secret.

(2012-01-31, 02:56 AM)Renox Wrote: [ -> ]that leads me to believe there must be something exploitable in the myBB script that allows him to upload any file to that directory.

It's possible, of course. It's just that the info you provided so far does nothing to help me find such an exploit if it exists. I did go over the avatar upload routine in MyBB's source after reading your first post, but didn't find anything new. So if there's an issue I need better input from your end to find it.

(2012-01-31, 02:56 AM)Renox Wrote: [ -> ]PS: I did look at the nginx config common pitfalls out of interest, but luckily for me my config was fine on all points.

I hope so for your sake -