osCMax Security Update - Arbitrary Upload Exploit

[michael_s]

A new blog entry has been added:

[drupal=251]osCMax Security Update - Arbitrary Upload Exploit[/drupal]

A security hole was found in osCMax 2.0 RC 3.0.1 that allows a remote attacker to upload files to your site via a browser.

[MindTwist]

I just received 2-3h ago an email with this info. I guess everyone else on the forum must have received, just wanted to say that it is nice to be informed when this kind of vulnerabilities are found.
Thx!

[ryoyin]

My company web site changed many code.
I don't think it is possible update to apply RC3.
Which files contain this kind of thread.
Or what can I do to prevent this kind of thread?

Thx for the notification.

[MindTwist]

Follow the link michael_s posted, you only need to delete a few files from your default OSCMAX installation, so it really doesn't matter how much you have modified your store previously

[trochia]

Update appreciated, but I would just like to double check something please.

Looking at the posted file paths/dirs to be removed, all mine seem to be installed under:

/filermanager/connectors ( this dir also includes /browsers )

Within

/FCKeditor/editor/filemanager/browser/default/connectors/*.*

In /browser/default/ (as described in e-mail alert and post), this dir contains (2) dirs of: /images & /js

I am just veriying the posted pathing against what I find/see please?

Thx...Jim

[JohnW]

Hi Mike,

Do you have any additional info that you can share about this exploit? Are there certain files that were being uploaded or changed due to this exploit? My assumption is target files are always credit card related, database, or even email related.

[MindTwist]

Arbitrary Upload Exploit - I didn't even check, I just deleted the unnedeed files, but I can assume that those included files are not needed for FCKeditor on OSCMAX/PHP, but could be used to upload anything/anywhere on your store.

Once someone does that, he can basically do anything they want with your host - download your complete store database, modify your store so when customers use a credit card, details are emailed to someone, upload a PHP script so your store is sending a gazilliom spam messages every day without you even noticing, etc.

[trochia]

Yes, I was curious also as here's a 7 day search result:

- Google Search

And I see the new download, contains new folder names?

Jim

[JohnW]

Honestly, I'm not a huge fan of FCKeditor anyway.

One advantage of having a dedicated server and being actively involved with it is things like email can be tightly monitored if things change so I don't think I've been exploited there. But, there's always possibilities for something I haven't considered.

My biggest fear is credit card related files being altered to compromise customer cc data but I only use one CC system and I watch those files pretty carefully.

[michael_s]

The key file(s) to remove are the test.html files included with that version of fckeditor. They do not sanitize input and allow the upload process to occur. Your file structure for FCKeditor may differ from that posted in the security notice, but be sure to remove all the test.html file(s) in fckeditor.

The other directories/files that are removed were part of a default fckeditor 2.0 install, and should be removed as osCMax does not use them. We took the opportunity to get them out of the package once and for all.