Saturday, January 22, 2011

the sourceforge entry point seems still active

February 3, 2011 - Update:

A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878


February 2, 2011 - Update:

Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.


This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF


January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:

Sourceforge Attack: Full Report
http://sourceforge.net/blog/sourceforge-attack-full-report/

January 28, 2011 - Update:

On Hacker news is reported an update about and seem that the sourceforge server has been compromized:

Sourceforge servers compromised
http://news.ycombinator.com/item?id=2150639

The SourceForge response:
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/

January 22, 2011:

just now I found a post from Imperva http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html. Intrigued by their results, similar to that published in my previous post approximately one month ago (http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html), I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:

sourceforge2

With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html). The following screen shot is the well common form that expose sourceforge  to this vulnerability:

forme107

The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.

2 comments:

  1. Hehe you have hidden the sourceforge link on your webbot screenshot but not the other vulnerable websites. :-)

    In my honeypot logs, I see at least 5 sourceforge accounts that seems hackable and used as an entry point.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete