Hey Espen,

Did you allow uploading of php files via the media manager? If you allowed authors to upload php files, you are opening your doors to these hackers. By default EasyBlog does not allow php files to be uploaded via the media manager.

We have a strict checking on the file types that are allowed to be uploaded via media manager:

1. Check for allowed extensions (Based on the settings Settings > Media)

2. XSS checks. We try to read the contents of the file to ensure that it does not contain these codes

array('abbr','acronym','address','applet','area','audioscope','base','basefont','bdo','bgsound','big','blackface','blink','blockquote','body','bq','br','button','caption','center','cite','code','col','colgroup','comment','custom','dd','del','dfn','dir','div','dl','dt','em','embed','fieldset','fn','font','form','frame','frameset','h1','h2','h3','h4','h5','h6','head','hr','html','iframe','ilayer','img','input','ins','isindex','keygen','kbd','label','layer','legend','li','limittext','link','listing','map','marquee','menu','meta','multicol','nobr','noembed','noframes','noscript','nosmartquotes','object','ol','optgroup','option','param','plaintext','pre','rt','ruby','s','samp','script','select','server','shadow','sidebar','small','spacer','span','strike','strong','style','sub','sup','table','tbody','td','textarea','tfoot','th','thead','title','tr','tt','ul','var','wbr','xml','xmp','!DOCTYPE', '!--');

P/S: If you really need to allow authors to upload php files, you need to make sure that the user's that are allowed to use the composer are trustable users

Hi.

No, i do not allow upload of PHP files. Somehow the hackers was able to bypass it by uploading files to the easyblog shared image folder.

From what i can see in the logfile, the hackers went directly to EB, and uploaded some files. I suspect that they uploaded a .jpg file first, and then somehow was able to extract / upload a PHP file

From the log:
"GET /images/easyblog_shared/b2ap3_icon_2.jpg"
"GET /images/easyblog_shared/b2ap3_thumbnail_2.jpg
"GET /images/easyblog_shared/ HTTP/1.0" 403
GET /images/easyblog_shared/6325.php HTTP/1.0" 200

I have tried to upload a PHP file, but i won´t upload with normal user interactions.

We do follow best practice regarding security, but it seems like there some kind of vulnerability in EB (PHP remote file inclusion vulnerability).

Allowed files in Joomla Media Manager:
bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS

Allowed files in EB media:
jpeg,jpg,png,gif,3g2,3gp,aac,f4a,f4v,flv,m4a,m4v,mov,mp3,mp4,zip,rar,7z,pdf,doc,docx,ppt,pptx,xls,xlsx

Hey Espen,

Do you still have that file so that I can run some tests locally? In EasyBlog, we actually perform the following checks to ensure that the image that was uploaded is really an image. This is the code that is being used:

I believe Joomla's media manager also does almost the same checks to prevent hacks like this to happen.

Unfortunately i don´t have the files copied to the images-eb-shared directory, but i downloaded two files which i´ll attach.

Our hosting vendor found these files:
[STR]cmd_shell_216 [01/01/16] /home/myhost/public_html/cli/webadmin.php
[HEX]gzbase64_inject_unclassed_14 [01/01/16] /home/myhost/public_html/cli/sym3.php
[HEX]php_hex_enc_eval [01/01/16] /home/myhost/public_html/wso.php
[STR]Hacked_by_string [01/01/16] /home/myhost/public_html/lol.html

Google analytics shows these records:
/images/easyblog_shared/12.php
/404.php

They came in trough creating a user, and by uploading code to the EB image shared directory, but it´s a mystery how they did it. Our Joomla is running the latest Joomla patch, and security plugins.

Hey Espen,

Hm, both these files seems like a "rootkit" and it's probably not and I don't think they actually used this to hack "easyblog" because I can never upload these files via EasyBlog's media manager.

They shouldn't be able to upload the file 12.php unless it is explicitly allowed in the media manager settings. Just tried this by creating a sample 12.php file with just plain basic php codes.

To simulate this, this is what I did. Created a blank .html file which just has a simple form with a file input. Then, this form submits to the server to store this php file (simulating a media file upload in easyblog) and it was rejected.

I also created another file called 12.png but in this file, the contents are php contents. It was rejected as well.

Hi.

I done some more testing. You will be able to rename a image file to .php after it is uploaded. I haven't testet this theory yet, but i think you will be able to use Fiddler or Charlie to first upload a .jpg file, and capture the command and then execute the same command with a .php file.

If you look at the attached image, you will be able to upload it, rename it and run the php code

This image that you tried will never get uploaded in EasyBlog I just tested this my self and the script is rejecting it because it contains php codes in it.