Posted 8 years ago
Thanks to Smokeman for reporting this and Slaughter for providing the corrected files
Understanding the problem:
The problem is caused by an insecure variable which is not properly checked and therefor can be used to insert malicious code to the MYSql query but also PHP commands which can create and in this case edit files. We have seen the same method been used in the search.php vulnerability.
The problem is caused by two things:
How is it done?
- A variable not properly checked
- Global variables
The hack is done by implementing a code into the theme.php file, by injecting it into the SQL query, so it can be accessible form within all pages of the site running PHP-Fusion. From there the hacker has direct access to the server and can execute PHP commands upload files etc.
Preventing being hacked?
If you are running a v6 site there are three ways you can prevent being hacked:
If your site has been hacked?
- Remove member polls from the panels list, by disabling it from the admin panel => system admin => panels
- Replacing the files wit the new ones
- Upgrade to PHP-Fusion v7
If your site has been hacked here is what you got to do:
- Set your site in maintenance mode from Admin Panel => System Admin => Miscellaneous Settings
- Open up the file: /themes/YOUR_THEME/theme.php - and delete the long text near to the top of the file, you can't miss it! Or re-upload the file from your computer. Be sure to check all your themes, delete those your not using and re-upload those you are using.
- Open up the /images/ folder and delete all PHP files inside it and upload a new blank index.php file, look specifically for a file named panel.php.
- Delete the folder completely: /infusions/member_poll_panel - and upload the new files here.
- Open up phpMyAdmin. Click on the left side on "fusion_panels" or view rows and delete a panel_name: System with the panel_filename: ../images/panel.php
- Be sure to change your MySQL password and user password for your user on the site which has been hacked and make sure other admins and users changes their passwords too!
Post here if you have any further questions about the hack or if you have been attacked.
More detailed information will follow!
Edited by Basti on 28-11-2009 11:26