Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-05-28, 02:44:03

Author Topic: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?  (Read 8571 times)

0 Members and 1 Guest are viewing this topic.

Online MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,490
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Many information about 'Kloxo-MR 6.5.0 - CSRF Vulnerability'. One of report is http://www.exploit-db.com/exploits/32666/.

The question is real or 'false positive'?.

In my test (using Kloxo-MR 6.5.1.b-2014041104):

1. Open firefox and then login with admin as user
2. Open new tab and then execute their code --> success
3. Open Chrome and then execute their code --> fail and page redirect to login page

Conclusion:
1. Their code not work without login (or remote execute will be fail and automatically redirect to login page)
2. With login mean page for their code will have the same session.
2. Not testing for 6.5.0.f but I think the same situation

Action:
1. Above fact still importance for security issue
2. Since 6.5.0.f and 6.5.1.b 2014041602, add 'csrf token' validation.
3. Effect of #2, every process via 'post' (like add domain) always verified with 'csrf token' with/without login
« Last Edit: 2014-04-17, 14:44:31 by MRatWork »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #1 on: 2014-04-17, 12:06:50 »
Hi Mustafa,

It is just amazing to see how you have handled such a declaration of exploit. I AM ONE OF THE VICTIM OF THIS EXPLOIT - on and after 12 March 2014 at 18.35 hours GMT onwards!

It is unfortunate that you have neglected my request multiple times. You had a chance to look at what was available on my server and make tests. The hacker has changed mysql root password on my server many times and also uploaded trojaner on my server.

WITH THIS THE HACKER CONVERTED MY SERVER AS AN EMAIL BOMBING SERVER!

Most likely the hacker has not published many things or given important hints. With this he wants to observe hoe intelligent you are.


Online MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,490
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #2 on: 2014-04-17, 13:01:17 »
Kloxo-MR still safe without 'token validate'. But, better implementing 'token validate'.

Your issue not related to this 'hole' but entering your system via other 'door'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #3 on: 2014-04-17, 14:48:34 »
Hi Mustafa,

That means that others also has a similar problems due to exploits or other scripts on their system?

On my server, I found that a joomla user was created and later changed to administrator. The administrator directory was protected. There was no other door open left open for anyone to change the status of a newly created user. There was no other script that could be suspected of having exploits.

The change of status of a joomla user occured through this exploit by changing the status in mysql database.

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #4 on: 2014-04-17, 18:54:45 »
Hi Mustafa,

I also forgot to mention something earlier, and in support of my assumption, I present following logic:

Before the change of joomla administrator took place, there was a similar change before a month in a different client's account. The joomla as well as xoops user's table were made totally empty! Joomla administrator dir was password protected and not publicly accessable.

The second client the admin dir was also pass protected.

How did both clients got affected?

In xoops, xoops_profile data was there and only xoops_user was emptied by the hacker.

Both the client's accounts were victimized such that qmail server was used to send emails in the domain name  of the clients as relay server.

In the first case (xoops), the hacker used a remote ip to relay spam of the domain with xoops cms.

After I blocked his ips, he installed a trojan through changing joomla administrator and he managed to hack the joomla admin by changing the admin status of registered user, installed a trojan and relayed spam bomd locally.

Otherwise there is nothing to explain how the hacker "hacked two accounts from different clients", one had joomla and the other joomla/xoops.

Both were used to create spam bombs on my server.

The pattern involved in deleting usertable, relaying spam, etc, and the intelligence from log files gathered, I am sure that YOU ARE WRONG in your assumption , that Kloxo-MR is secure, and thus I repeat once again that you urgently  need to look in this matter.

No other thing could explain other than Kloxo-MR possibility to hack. Now that the exploit above is known to me, I am sure that thats how it happened earlier.

I request you to check 10 times as it is most likely something that you are missing.
« Last Edit: 2014-04-17, 19:03:39 by Kloxo-DR »

Offline johnnyto1979

  • Junior Member
  • *
  • Posts: 34
  • Karma: +0/-0
  • Gender: Male
    • View Profile
    • Fixme - Freianzeigen.tk
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #5 on: 2014-04-19, 09:03:02 »
HI.
How many websites were affected?
Kloxo Mr files was also ?
Have you some logs from rkHunter? same logs from Apache or Nginx ?
I can't believe that! Maybe only that website was affected.
Maybe you had same joomla mod or plugin ... that was vulnerabil ...
Show some logs evidence.
Have a nice day.

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #6 on: 2014-04-19, 15:04:00 »
Hi johnnyto1979,

Just now, while I was working and logged in Kloxo-MR, the port was reset from my custom port to default port.

Kloxo-MR has become a totally idiotic panel to use. It is simply wasting time of everyone and waste and waste.

I refuse to recognize Mustara's decisions to put priority of integrations of all latest php's and proxies as against security and enhancement of existing features.

>>> How many websites were affected?

One domain was affected in one account. The spammer spammed for about six months "very conviniently" to relay spams from this domain by making remote connections.

I did not realize because the emails immediately got delivered to different addresses, that came from remote and went to other remote. My server ip got black listed on barracuda twice.

I was forced to change the server twice and configure twice.

Only the third time, I found this nonsense by vigorously installing and investigating the matter.

Then I blocked the incoming ip connections of the spammer from Chicago.

Then the hacker attacked by changing the admin in joomla from a different client and happily installed a Trojan called PHP/Backdoor as well as PHP/Agent.4 under component's directory.

I kept on complaining to Mustafa to do something about email server. Mustafa and Chris, and others thought that it is the problem in my local server. All this assumption was useless and lead to taking my issue as not serious.

There was no joomla plugin or component that had problems. There was a change of a registered user to administrator. I could see from the log files that the same iP was attacking and trying to hack joomla admin but remained without success.

If one joomla plugin or component has some security holes, then what about the other account where xoops was installed? There things happened the same. What could be an explaination for that?

I am not sure how many security holes are still there in koloxmr.

After I found that Mustafa does not take all this seriously, I even stpopped posting things any further.

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #7 on: 2014-04-19, 21:17:40 »
Hi Mustafa,

I have updated kloxomr to Current Version: 6.5.0.f-2014041801. Using Centos 6.5 32bits.

Today, while logged in kloxo admin, I could not continue work further. I found from netstat -tulpn that the custom port was closed and kloxo started using default port 7777.

After I used to login with 7777, I could change it to the custom port. Everything was working fine.

Thereafter, I took a break for five hours. In the mean time, I received 400 emails from webmin for its failure to restart httpd.

Attempting it to restart, I got: httpd not recognized service.

I need to yum install httpd. Only then I could restart.

This is a different and new server, recently configured before one week. Fresh install. On this server, there is only one client and one domain that has only html pages. There is no automatic updating of any kind...

My queastion to you:

1)
Can you explain why the changing of port and an self removal of httpd occured on kloxomr?


2)
Why do you want to have other default ports open, like 7776 and 7779 to be open or listening?

Note: Of course, I have blocked them from firewall. So I am not worried at all.
« Last Edit: 2014-04-19, 21:24:38 by Kloxo-DR »

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #8 on: 2014-04-19, 22:11:34 »
Hi Mustafa,

Can you also explain the following:

Question 3)

Why do I get such a log, lot of blocks:

Sample of port hits:
Apr 19 21:27:09 domain kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=SRC.SRC.SRC.SRC DST=DST.DST.DST.DST LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8263 DF PROTO=TCP SPT=56290 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0 UID=498 GID=498

Why is the tcpserver trying to connect to DST.DST.DST.DST through 21?

I only have html in home dir of one client.

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #9 on: 2014-04-20, 05:39:26 »
CSRF isn't about cross-browser, and opening a new browser to prove something is wrong.  I use CSRF magic site wide to insure my hosting customers are save on my portal.

KloxoMR should have CSRF protection.  CSRF-magic is open source and easy to implement.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline Kloxo-DR

  • Senior Member
  • *
  • Posts: 239
  • Karma: +3/-9
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #10 on: 2014-04-20, 08:45:49 »
Hi Mustafa,

Quote
2. Not testing for 6.5.0.f but I think the same situation

The attack described above occured on 6.5.0.f. Always was the latest, in January and also in March.

When the attack happened in the account of the client's domain in January, the CMS was xoops. The user's table was vacated.

When the attack happened on 12. March, on the day this exploit happened, the second client's account was affected. There was a fake user registered in joomla and later the status of this user was changed to administrator. The administrator's directory was htaccess protected. The admin password, although it was weak, was not used for this.

The damn coincidence of my assumption, that kloxomr was uesd for the attack, is based on many other intellegince I have gathered to build a total picture of what was really going on.

One of the most stricking evidence is the date on which the above exploit was published! Look at that from the above link. This is:

Discovery date    :03/12/2014

Just as a mere conincidence, I had applied the spamdyke patch published by Chris. Chris claimed that it worked one thousand times. On my server it did not work. These discussions were going on around this time.

Funny enough, and as a matter of a great coincidence, I applied the patch in run file suggested by Chris on 12 March. The email server did not work. I had renamed the qmail-remote to qmail-remote.now to see if the qmail-remote.orig would work.

It did not work. However, funny and most interesting, I changed it back but made a mistake in renaming by qmail-remote (was qmail-remote.orig) to qmail-remote.now! Thereafter, there was no qmail-remote there.

The attack started on my server on 13. March! There were 6.000 emails in the queue generated PER HOUR waiting for me to become furious. Fortunately, and how can I be so lucky after decades, renaming of qmail-remote.now saved me from the attack by the hacker! The qmail-remote  renaming did not send any mail bomb from my server.

See the date. Why did this get published on 12. March 2014. On 12. March @ 18.35 hours, there were severe hacking attempts to hack joomla password from the second account. Without success! On 13. March there was a relay of spam bomb waiting in the queue.

Both the above events show that my server was compromised. I found two Trojan under joomla plugin dir, as mentioned above. There was no component or plugin that had any known exploit or was vulnerable.

Following is an additional theory to understand why I miss something:

It is possible that the hacker had already managed to upload both the trojan files in January in the second account, where admin rights were elevated. Then, these files remained in the second account and were transfered to the fresh install, when I moved the server in Febraury.

This theory explains why there were attempts in the second account in March. because the hacker was not successful to hack joomla admin, he used kloxomr vulnerability to change the status of registered user to admin. Only then, he could use the Trojan file  located on the server locally because there was no upload of any kind in March.

Quote
Action:
2. Since 6.5.0.f and 6.5.1.b 2014041602, add 'csrf token' validation.
3. Effect of #2, every process via 'post' (like add domain) always verified with 'csrf token' with/without login

The above intelligence says that the problem was - most likely - in there since january, when anathor security hole was made known. You declared that kloxomr was not affected.

Now you say that kloxomr is not affected with the security hole published in March.

All this does not explain a pattern on my server, even now, why did mysql root password got changed earlier.

It does not explain above mentioned three questions.

How the hell can kloxomr change from custom port to default 7777 port and that too while I was logged in and was working? (Using 6.5.0.f-2014041701)

Was there something that you have changed in the recent update that may have caused to change the port? Investiigate this first to make sure that this was - again - not a further experiment by the hacker.

Suggestion:

I suggest that you turn off your attitude and work on the enhanced and additional security and backup/restore first. Your attitude on this two areas has brough a loss of trust and faith in the user's community.

Action:

1) IMPLEMENT TWO STEPS LOGIN AND ACTIVATION EVERY TIME

Please implement a two steps method of login. Although this may become hard for many, it shall definately make kloxomr much more secure.

Make a change in kloxomr so that every important change may work only by activating a link sent to a stored email address in admin.

This is implemented by Amazon and Google, and other companies, if an user wants to change important information related to security.

2) Re-design Kloxo-MR and Mysql password functions

I suggest that you redesign creation and reset password function of Kloxo-MR and Mysql to completely new.

For example, currently, Kloxo-MR password has 9 characters and is stored inside a known directory under kloxo. Can this be changed?

There are times when kloxomr and mysql passwords are not in harmony with. This area needs a proper attention and total redesign.

Well, if you do not implement this, I am not affected because I have already transfered some domains from Kloxo-MR to Plesk from Parallels.

I began the transfer, when you told me in the other thread and declared "Good Bye". I accepted your adamond attitude and found that your wish of "Good Bye" to me using Kloxo-MR was an enormously helping suggestion that inspired me to change.

Had you shown a lot of help and consideration, I would have further worked with Kloxo-MR. Not anymore.

I am sure that Kloxo-MR is vulnerable, and shall remain, so long as your attitudes on security remains.

Offline bigdigillc

  • Senior Member
  • *
  • Posts: 152
  • Karma: +1/-0
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #11 on: 2015-01-12, 10:29:02 »
@Kloxo-DR Did you ever get this resolved? My servers have been compromised and could use some pointers.

Thanks!

Offline silverboy65

  • Junior Member
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #12 on: 2015-02-04, 09:07:49 »
Hi
Hiawatha says : . Hiawatha can stop SQL injections, XSS and CSRF attacks and exploit attempts ( i dont know how , i google it , but i cant find any description )

so as kloxo-MR use this webserver as its default webserver, there must be no problem ? right ? or we need do something to active this ?

Online MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,490
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #13 on: 2015-02-04, 10:08:48 »
Hiawatha have parameter like PreventCSRF, PreventSQLi and PreventXSS for this purpose. But, Kloxo-MR not implementing it.

Still better your php code implementing for protect from SQLi, XSS and CSRF.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline silverboy65

  • Junior Member
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: [INFO] Kloxo-MR 6.5.0 - CSRF Vulnerability - really?
« Reply #14 on: 2015-02-06, 22:03:04 »
yes , i will , but i am talking about the kloxo and kloxo-MR script
i think this is the easiest way to fix this issue

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix

Page created in 0.069 seconds with 23 queries.

web stats analysis