Site compromised via plugin.pluginAjax

[coza]

I have the latest joomla (3.73) and the latest fabrik (3.6). The fabrik install is updated via the standard joomla update system.

I have just had a couple of files written into the web root dir by looks like a POST call to the plugin.pluginAjax plugin.

Below are the web logs of the actual put and one entry before of what looks like to be the test to see if 'they' can PUT.

114.125.202.218 - - [06/Jul/2017:03:51:06 +1000] "GET /favicon.ico HTTP/1.1" 404 628 "https://www.dmcc.com.au/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
114.125.202.218 - - [06/Jul/2017:03:51:14 +1000] "POST /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload HTTP/1.1" 200 1002 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"

Looks like the POST wrote an 'index.html' and 'ssiwebshell.shtml' file into the web root. The file dates perfectly match with the POST. Nothing else as far as I can tell.

In the logs I can see that the 'script kiddy' script tested for many different web apps and files obviously got a hit with that fabric plugin.

Have I come accross an vulnerability with fabrik or would it be something else that allowed these files to be uploaded?

 

[coza]

I have just see the latest git commits about ajax upload security issue, I assume it is all part of that. Any idea when the update for this issues is in general release?

 

[cheesegrits]

It's out now. Update ASAP.

We'll be available over the weekend to help with any unrelated update issues.

-- hugh

 

[quantility]

Suddenly yesterday a file "index.html" was created in my root folder by the fabrik plugin with the content "Nothing to see here. Move along. This file was created by Fabrik, etc...". I don't have any form with upload element. I know this happen when we have a wrong upload folder path. And i see a file created by hacker in the root, with some "advertising" fake web page. It can be related with this flaw?

thanks

 

[cheesegrits]

Yes. You need to update ASAP.

-- hugh

 

[jules]

Thanks -- I just updated to the latest release, here was my log:

114.125.186.158 - - [24/Jul/2017:09:25:24 -0600] "GET /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload HTTP/1.1" 200 54 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
114.125.186.158 - - [24/Jul/2017:09:25:24 -0600] "GET /favicon.ico HTTP/1.1" 200 32038 "http://www.mwlists.com/index.php?op...uginAjax&plugin=fileupload&method=ajax_upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"

I also blocked this IP :

access.log.8:208.98.49.43 - - [24/Jul/2017:09:26:16 -0600] "GET /index.html HTTP/1.1" 200 2123 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
access.log.8:208.98.49.43 - - [24/Jul/2017:09:26:20 -0600] "HEAD / HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"

 

[cheesegrits]

You should be OK now, with the update.

-- hugh

 

[tesla]

Hello Hugh,

I just saw that my website shows same message instead of my front page like user quantility wrote back in August 2017

I am on version 3.8 and I thought this issue is fixed. This is the second time when this happens in the last two months. The first time though I wa running on old version of fabrik and then I updated it.

Could you please assist and confirm is this issue fixed or there is something else going on?

Here is a copy of my log:
105.157.124.176 - - [04/Apr/2018:15:21:25 +0300] "POST /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload HTTP/1.1" 302 262 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
105.157.124.176 - - [04/Apr/2018:15:21:26 +0300] "GET /XRANG.php HTTP/1.1" 404 1958 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
105.157.124.176 - - [04/Apr/2018:15:21:27 +0300] "POST /index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload HTTP/1.1" 200 68 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
105.157.124.176 - - [04/Apr/2018:15:21:27 +0300] "GET /XRANG.html HTTP/1.1" 200 9607 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"

Thank you!

 

[cheesegrits]

Can you check the file ...

./plugins/fabrik_element/fileupload/fileupload.php

... on your server, and compare it to this one:

https://github.com/Fabrik/fabrik/blob/master/plugins/fabrik_element/fileupload/fileupload.php#L2695

... specifically the lines from around 2695 to 2717, where it does a spoofCheck() and a canUse() test, and confirm that your code is identical.

Also, confirm that you have not disabled spoof checking in the Form settings (in the Form Processing tab), or in the global settings (Options tab, top right of any main backend Fabrik page, in the Forms tab).

-- hugh

 

[tesla]

Hello,
File (./plugins/fabrik_element/fileupload/fileupload.php) in my system didn't have any spoofcheck in it. My File Upload is 3.8.1 from Feb 2018.
I have uninstalled the extension until you help me figure out what is going on.
Looking forward to hear from you with any further guidance you may have!
Thank you!

 

[cheesegrits]

I just checked the ZIP's from our downloads, and the 3.8.1 ZIP definitely has the right code. Here's a pic ... that's FileZilla on the right, where I downloaded the 3.8.1 package ZIP from our downloads folder, and on the left is where I unzipped and checked the filupload.php code.

So I don't know why your site didn't get the right code. How did you update? Did you do the J! updater, or download the ZIP from our downloads page and update from that? Both methods use the same ZIP file, though.



-- hugh

 

[tesla]

Hi, I used J! updater and it went smooth.
However, when I check the file in question I see it is with a date back in 2016, so obviously the update didn't happen.
What could be the reason, or how can I find out?
Can you pelase point me to a step by step guide to do a manual update?

 

[troester]

Are the folder and the files writeable?
You can download the fileupload plugin and install it via J!installer.
http://fabrikar.com/download/form/36/3046-element-fileupload-plug-in

This should do the same as the updater.
See if this is updating to the new files or if you get an error message.

 

[tesla]

Update went through as you suggested.
Files are with today's timestamp.
Thank you!