I've recently installed phpMyFAQ 1.6.8. Like on the older Versions I've got every time a problem with the FAQ Title when I'm upgrading to a new version. The title of my faq is "Blankster's FAQ" after the update "Blankster\'s FAQ" is displayed as title. It would be nice if you can fix that bug...
Another Question too: Due the SQL injection vulnerability I got hacked. Not phpMyFAQ was hacked but Serendipity (a Blog). How scared do I have to be now? What kind of access gave this vulnerability to the attacker?
Greets and best regards,
Dawn
Problem with ' in FAQ-Title
Moderator: Thorsten
Re: Problem with ' in FAQ-Title
Hi,
Ciao,
Matteo
I'm sure that there is no bug: could you post here (or just email me) the complete configuration of your server (at least an URL pointing to a phpinfo() page) and the steps you've applied to update your PMF installation? During the update stage, if you come from 1.6.0+, no database manipulation is perfomed.Dawn wrote:I've recently installed phpMyFAQ 1.6.8. Like on the older Versions I've got every time a problem with the FAQ Title when I'm upgrading to a new version. The title of my faq is "Blankster's FAQ" after the update "Blankster\'s FAQ" is displayed as title. It would be nice if you can fix that bug...
If the vulnerability is known you could ask to the developers the possible risks and/or what the users reported about it, otherwise a full inspection on the webserver logs should be the first step to try to understand what the cracker did on your server.Dawn wrote:Another Question too: Due the SQL injection vulnerability I got hacked. Not phpMyFAQ was hacked but Serendipity (a Blog). How scared do I have to be now? What kind of access gave this vulnerability to the attacker?
Ciao,
Matteo
phpMyFAQ QA / Developer
Amazon.co.uk Wishlist
Amazon.co.uk Wishlist
Hi,
Ciao,
Matteo
Sorry, besides the PM could you post also the PMF version from which you've performed the update?Dawn wrote:I'm using PHP5, MySQL 5.x Server and MySQL 4.x Client on a Debian Server. The Script is owned by www-data:www-data.
Those from Serendipity: I do not use it and I'm not of any help. Moreover you can contact your sysad to look at any suspicious file appeared after the estimated date&time of the attack.Dawn wrote:Which developer should I ask for this purpose?
Ciao,
Matteo
phpMyFAQ QA / Developer
Amazon.co.uk Wishlist
Amazon.co.uk Wishlist
I've updated from 1.6.7 but I had 1.6.6 too. I'm not really sure when the cracker used the expoit to hack my system.Sorry, besides the PM could you post also the PMF version from which you've performed the update?
Hmmm, I'm the admin of my server... So I have to look for that kind of things. I only want to know how much access and to what the attacker had due the exploit in PMF?Those from Serendipity: I do not use it and I'm not of any help. Moreover you can contact your sysad to look at any suspicious file appeared after the estimated date&time of the attack.
Hi,
Ciao,
Matteo
Mmmhhh... so if I've correctly understood, whenever you update your PMF from a previous 1.6.x to the current one, being the webserver and the db server equal before and after, you fall into the issue of an extra backslash on your data. Is it correct?Dawn wrote:I've updated from 1.6.7 but I had 1.6.6 too. I'm not really sure when the cracker used the expoit to hack my system.
He could upload any file to your server: these files are potentially the real cause for any attack to your server (there are several condition that might mitigate or block any of these attacks).Dawn wrote:Hmmm, I'm the admin of my server... So I have to look for that kind of things. I only want to know how much access and to what the attacker had due the exploit in PMF?
Ciao,
Matteo
phpMyFAQ QA / Developer
Amazon.co.uk Wishlist
Amazon.co.uk Wishlist
Hi Matteo,
Greets,
Dawn
Exactly, and as I know it started at the update to 1.6.5.Mmmhhh... so if I've correctly understood, whenever you update your PMF from a previous 1.6.x to the current one, being the webserver and the db server equal before and after, you fall into the issue of an extra backslash on your data. Is it correct?
Where can he upload the file exactly? I really don't know where I should start...He could upload any file to your server: these files are potentially the real cause for any attack to your server (there are several condition that might mitigate or block any of these attacks).
Greets,
Dawn
Hi Dawn,
you can apply this search also to the root of the file system, /.
Ciao,
Matteo
well, as written in a post above it's strange that any content manipulation is performed after an update 'cause NO data will be touched if you update PMF from any release of 1.6.x branch to 1.6.8. BTW, I need to replicate the issue. I've just saved your phpinfo locally and you can remove the phpinfo page. If there is any issue, I guess it is linked to your using magic_quotes_gpc set to On. I'll look at it in the next days.Dawn wrote:Exactly, and as I know it started at the update to 1.6.5.
A rough approach should be to find files newer than a file that you know to be present in the server few days before tha attack:Where can he upload the file exactly? I really don't know where I should start...
Code: Select all
$ cd path/to/PMF
$ find ./ -newer path/to/an/already/present/fileCiao,
Matteo
phpMyFAQ QA / Developer
Amazon.co.uk Wishlist
Amazon.co.uk Wishlist