| Author |
 Topic Search  Topic Options
|
RipSurge 
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
 Topic: Hackers Exploit in RTE v4.05
Posted: 08 May 2011 at 4:45pm |
|
Using RTE v4.05 (I didn't see any code fixes in 4.06), hackers are able to gain access to your website. They do this by bypassing security and using quite possibly the RTE_popup_save_file file to upload a file like DED_tekhnika.asp;jpg (as they did on my site) - which the mime type seems to still pick up as an ASP file, and website code preventing upload of ASP files doesn't.
They used this to inject a Trojan into my hosting server and gain access to all my websites hosted there. The hacking group responsible is Turkish SanalSystem. I hope WebWiz releases a fix to this so others don't have to spend a whole day researching, fixing all the damage done and explaining it to customers and website users, now thinking my hosting company is unsafe and not properly secured.
Kudos to the Web Wiz team for creating an awesome RTE system, I really enjoy it, and sorry to bring up the bad news about the security vulnerability.
|
 |
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 08 May 2011 at 4:51pm |
|
The team responsible for the hacking runs a website at siber-cellat.org. I may be a little off in my description of how they hacked in, but it was definitely using RTE, as the first point of entry was the ".asp;jpg" files uploaded to RTE/my_documents/my_files. On top of that, the files uploaded into RTE/my_documents/my_files that contained code to infect my website had mention of names of hackers in the group siber-cellat.org, like "zehirhacker". I'm still doing more research on this..
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 09 May 2011 at 9:13am |
|
The Web Wiz Rich text Editor is not a complete application and as such does not have any security.
If you simply place the files on your website then a hacker can use the upload tools to upload files that can be used to hack your website.
The RTE is built as a bare bones application to apply to the text areas of your own application. Security would need to be built in to your own application which you need to apply to the RTE to insure that it is also secure.
As a web host we often see hacked websites due to customers placing Upload applications and various RTE's on websites and not applying any security to them.
If you use RTE's on websites, whether it be Web Wiz RTE or another RTE you need to secure the application either placing it in a password folder or apply the security that you have built in your own application in to the RTE.
Edited by WebWiz-Bruce - 10 May 2011 at 7:42am
|
|
|
|
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 09 May 2011 at 10:24am |
|
Thank you for your response, I didn't think of it that way. My workaround was coding a login check into all the source pages of RTE - exactly what you've suggested. I previously had a login check only on the main editor page, which wasn't enough.
Perhaps a default setting in the RTE_Setup.asp file preventing users from uploading .asp, .jpg;asp (as they uploaded to my site), .php, etc. would be a good way to prevent this from happening to other/future users?
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 10 May 2011 at 7:47am |
|
There is already has that option in the RTE_configuration/RTE_setup.asp file where you put in the allowed upload image and file types, by default they are:-
File Types:
zip;rar;doc;pdf;txt;rtf;htm;html;gif;jpg;png
Image Types:
jpeg;jpg;gif;png
You would not be able to upload other file types unless you allowed them in these lists.
Edited by WebWiz-Bruce - 10 May 2011 at 7:54am
|
|
|
|
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 10 May 2011 at 7:52am |
|
The hacker was still able to upload the file "DED_tekhnika.asp;jpg", despite these rules in place, that's the loophole they found by the looks of it. My server still picked up the mime type of that file as an ASP file after they uploaded it.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 10 May 2011 at 7:54am |
|
Will look into this then as they should not be able to do this.
You also mention that all
your sites were hacked, so it sounds like you have not locked down your
server. You should run each site under a different user account with
limited privileges in their own application pool and set read
permissions ONLY, except on upload folders. This would limit any
attack by a hacker who could then only write to the upload folder in
such an attack.
|
|
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 10 May 2011 at 8:22am |
|
Have been looking in to this issue in the lab and it appears that a file named .asp;jpg will get around the file extension check.
On Windows 2008 IIS 7.x the file will not run due to the extra security built in to IIS7, however on Windows 2003 IIS6 the file is processed by the server as an .asp file even with the ;jpg part on the end.
Will have an fix for this released by the end of today to reject files that use this naming to get around file checks.
|
|
|
|
Hackers Exploit in RTE v4.05