Announcement

#1 2016-12-13 08:11:56

wernfried
Member
2012-01-21
84

Serious security issue in Piwigo?

Hi,

I am referring to my last post Get some fake links in my Homepage but this problem seems to be a general issue with Piwigo.

You can test it by yourself, go to google and enter

piwigo Apotheke
or
piwigo -//:---spam
or
piwigo cialis

You get hundreds of pages created with Piwigo but they are all going to the same drug store http://drugs-avenue.com where you can order more or less legal stuff.

I strongly advise the Piwigo developers to review your code carefully! Check if your webserver has been hacked.

Best Regards

Last edited by wernfried (2016-12-13 08:16:27)

Offline

 

#2 2016-12-13 11:02:53

WuppiGER
Member
Germany
2016-05-31
38

Re: Serious security issue in Piwigo?

oha! Bad - Very Bad ...

My Company-FW blocked Access to EVERY Piwigo-Page with this Fake-Links. Illegal Content: Malicious Code, Hate / Discrimination, Pornography. I think it is the Malicous Code-Reason ...

Is this an problem with comments? I have deactivated comments ... no problems with this

Offline

 

#3 2016-12-13 15:27:36

teekay
Member
2013-06-12
427

Re: Serious security issue in Piwigo?

Could be .htaccess injection issue, like here:

http://piwigo.org/forum/viewtopic.php?p … 88#p164288

Offline

 

#4 2016-12-13 15:45:22

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

With further investigations [Forum, post 165518 by plg in topic 27112] Get some fake links in my Homepage I can tell you it's not htaccess redirection. It's in the PHP code. In the hacked Piwigo I am analyzing, some code was added and handles the redirection.

Offline

 

#5 2016-12-13 15:49:22

teekay
Member
2013-06-12
427

Re: Serious security issue in Piwigo?

Oh, bad stuff.

Some sort of the pharma hack? https://aw-snap.info/articles/spam-hacks.php (parmacy hack, around middle of the page)

Last edited by teekay (2016-12-13 15:49:46)

Offline

 

#6 2016-12-13 16:06:48

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

Yes, exactly that, a pharma hack as described on your link.

The question is "did they modified PHP code thanks to security failure in Piwigo, or did they simply hacked the FTP connection?"

Offline

 

#7 2016-12-13 16:21:58

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

Hi

Have a look at file include\config_default.inc.php

I found this one:

Code:

// use_exif_mapping: same behaviour as use_iptc_mapping
//70be5e0f56ae4ed71c6cee02278e1891
create_function('', gzuncompress(base64_decode("eAHNW+lz2kgW [....] iRkg=")));
//70be5e0f56ae4ed71c6cee02278e1891

I did not manage to decode, but I don't think this should be a problem for you.

Wernfried

Last edited by wernfried (2016-12-13 16:51:14)

Offline

 

#8 2016-12-13 16:32:26

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

Yes, I also found it. What is very interesting is that on the other hacked Piwigo I analyzed, it was another file that had been modified! These guys do whatever they can to make the hack hard to find.

For now, I don't know how they modified Piwigo. The most obvious answer is they had access to the filesystem. The less obvious answer would be they used a security failure in Piwigo. Considering there is no Piwigo.com account hacked, I nearly sure this is not a security failure in Piwigo. But I'm not 100% sure yet.

Offline

 

#9 2016-12-13 16:33:32

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

I'm going to prepare a plugin which scans Piwigo core files and compare them to what they should be.

Offline

 

#10 2016-12-13 16:46:26

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

Hi

On my webpage modification time for newest files is 22. Nov 2016 12:04:22, for file config_default.inc.php it is 22. Nov 2016 12:04:23

Although I know it is fairly simple to change that to an arbitrary value. Maybe it helps.

Wernfried

Offline

 

#11 2016-12-13 17:07:23

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

and what about files in tools/.metadata ?

Offline

 

#12 2016-12-13 17:44:54

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

plg wrote:

and what about files in tools/.metadata ?

There are various files. Newest one 13. Dez 2016 10:57:03


    eb5bfe399c6fabfc2912ff5339617ae0    13. Dez 2016 10:57:03    32.0 KB    rw- rw- rw-     domscheit    psacln   
    fca74ac17e5291fb4b6a2462898d3248    12. Dez 2016 11:22:58    16.0 KB    rw- rw- rw-     domscheit    psacln   
    717cd1fe561a79a5ae39416877a7d487    12. Dez 2016 10:15:42    16.0 KB    rw- rw- rw-     domscheit    psacln   
    9fc8708930b258724a90ad7d0cbefcbe    10. Dez 2016 23:43:57    12.0 KB    rw- rw- rw-     domscheit    psacln   
    ec07dfc4e2529e10c71fcc85ef03ce6b    10. Dez 2016 16:17:00    12.0 KB    rw- rw- rw-     domscheit    psacln   
    3e028ac2494adcc19fe791a53734a90f    10. Dez 2016 06:00:24    8.0 KB    rw- rw- rw-     domscheit    psacln   
    35e6fc9c875334ff9d9b69c5b4ca39b2    9. Dez 2016 12:32:46    16.0 KB    rw- rw- rw-     domscheit    psacln   
    60bf7cae591dfeea3db234f95ceae167    9. Dez 2016 09:45:18    8.0 KB    rw- rw- rw-     domscheit    psacln   
    df2851a955ad79dcde0d3b55d6e90514    9. Dez 2016 09:42:40    4.0 KB    rw- rw- rw-     domscheit    psacln   
    fd501573359a7b3fee0ffffdba58aba8


Just a note, actually I noticed this issue quite some time ago (for sure longer than the most recent update of Piwigo)

I saw the link in Google, then I opened my webpage and I did not see them. My impression at this time was: "Oh, somebody hacked my webpage but now it is looking fine. Apparently somebody hacked the server of my web-hoster earlier times but they discovered the hack and restored my files from their backup they certainly have." Just wait for Google when they scan my page again, then the Google result will match again my page.

Obviously this was a bit naive, but this would also mean:

1) somebody had or have access to file system and changed files several times (on current release but also on previous release)
or
2) downloaded file from Piwigo server was already corrupted.

Best Regards
Wernfried

Offline

 

#13 2016-12-13 20:50:31

wernfried
Member
2012-01-21
84

Re: Serious security issue in Piwigo?

Hi

Just for information I issued a Webspam report at Google:
https://www.google.com/webmasters/tools/spamreport

Maybe it helps.

Best Regards
Wernfried

Offline

 

#14 2016-12-14 10:31:01

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

You should also overwrite your Piwigo install with a clean Piwigo 2.8.3.

Offline

 

#15 2016-12-14 10:38:42

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13786

Re: Serious security issue in Piwigo?

wernfried wrote:

1) somebody had or have access to file system and changed files several times (on current release but also on previous release)

Not necessarily: only the first modification needs an access. The other files, the ones in tools/.metadata (this directory differs from one hacked installation to another) are written by the modified core file (in your case include/config_defaults.inc.php)

wernfried wrote:

2) downloaded file from Piwigo server was already corrupted.

That's unlikely:

Code:

[pierrick@pierrick-desktop] /tmp
$ wget http://piwigo.org/download/dlcounter.php?code=latest -O piwigo-2.8.3.zip
--2016-12-14 10:33:13--  http://piwigo.org/download/dlcounter.php?code=latest
Resolving piwigo.org... 87.98.147.22
Connecting to piwigo.org|87.98.147.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7594750 (7.2M) [application/zip]
Saving to: `piwigo-2.8.3.zip'

100%[==========>] 7,594,750   40.2M/s   in 0.2s    

2016-12-14 10:33:13 (40.2 MB/s) - `piwigo-2.8.3.zip' saved [7594750/7594750]

[pierrick@pierrick-desktop] /tmp
$ md5sum /tmp/piwigo-2.8.3.zip /home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip 
da7d4fd93bca8dd2fdd7ca6782ed2a86  /tmp/piwigo-2.8.3.zip
da7d4fd93bca8dd2fdd7ca6782ed2a86  /home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip

/home/pierrick/public_html/piwigo.org/download/piwigo/release/2.8/2.8.3/piwigo-2.8.3.zip is the release I created on my Piwigo environment before pushing it to piwigo.org production servers.

Considering also that on the 2 hacked installations I analyzed the hack was a bit different, it's obvious that it was not modified "on the original Piwigo files", but afterwards.

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact