Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Open Source Security

Attackers Can Hijack Joomla Sites Via User-Agent Strings (softpedia.com) 66

An anonymous reader writes: Joomla just issued a emergency security patch after Sucuri observed a large number of attacks on Joomla sites using malicious user-agent strings. Attackers were adding malicious code to custom-made user-agent strings, which were not sanitized and stored in the database. These allowed attackers to trigger remote code on the site and grant them a backdoor into targeted websites. Even if Joomla doesn't care about older versions, the bug was so critical that it issued security patches even for EOL versions going back to 1.5.x.
This discussion has been archived. No new comments can be posted.

Attackers Can Hijack Joomla Sites Via User-Agent Strings

Comments Filter:
  • by QuietLagoon ( 813062 ) on Monday December 14, 2015 @04:01PM (#51117151)
    I've been seeing really strange agent strings for a few weeks in my web server log files. I was wondering what the target was.
    • by Anonymous Coward

      The target is to serve malware. If they can easily exploit a widely used package to spread malware, the phish jump right in the boat.

    • by ls671 ( 1122017 )

      Well, I have been seeing really strange Cookie, Host, Connection, request strings, etc. for ever and I sometimes wonder what the target is. Don't take for granted those pokes are only targeted at joomla.

  • by Anonymous Coward on Monday December 14, 2015 @04:08PM (#51117215)

    It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

    • by Anonymous Coward

      You have to put it in a framework or an API, otherwise modern programmers can't understand it.

      • That makes perfect sense! Who writes frameworks and APIs again?
        • by ls671 ( 1122017 )

          Good one, I have observed a tendency lately where newbies seem to thing that API are delivered by the baby stork. They even teach the youngsters that programming techniques used in API (for the internal work of the API) are bad and have them coming up with resource hog code that is supposed to be somehow better nevertheless.

          Then, there are the APIs built on top of other APIs that achieve sensibly the same goal.

    • by hey! ( 33014 )

      Identify bad input; recover if possible.

      -- The Elements of Programming Style by B. W. Kernighan and P. J. Plauger, McGraw-Hill, New York, 1974.

      See? Smart programmers knew bad or malicious input forty years ago. Trust me, even back in the days of FORTRAN card decks people tried to figure out ways to make the computer do things that would annoy or inconvenience the sysadmins.

      In this case the exploit was actually quite tricksy. Normally you don't think of the user agent as user input; it's supposed to come

    • " Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently." Banning them from compilers wouldn't stop them here....Joomla is PHP. Just upload the file uncompiled and watch the magic happen :P
    • by Anonymous Coward

      Joomla uses MySQL and PHP. Most PHP code has so many security flaws that the matter was brought up in a meta discussion on stackoverflow. Sadly the discussion ebbed of with the genius resolution of adding a comment to any flawed answer and to this day any PHP user searching stackoverflow for answers will find highly flawed suggestions upvoted with any comment pointing out its problems long deleted in any of the cleanups performed from time to time ( a problem brought up on meta and outright ignored, since a

    • "... every parameter from an service facing the internet... "

      For all your fervor toward solid security practices you still miss it completely. This issue has absolutely nothing to do with the internet. The exact same security principles apply to, and should be applied in systems, without regard to internet connectivity. There are many solid reasons why this is true, but the simplest and easiest to understand is that somebody may, at a subsequent date, connect the system to the internet.

    • by ls671 ( 1122017 )

      It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

      It wouldn't help in this case. The language used for joomla doesn't require the programmer to use a compiler.

    • by Tablizer ( 95088 )

      Define "sanitize" in this case. What is and isn't a valid user-agent string? (and considering future devices that haven't been invented yet.)

  • WHY?!? (Score:5, Insightful)

    by Aethedor ( 973725 ) on Monday December 14, 2015 @04:14PM (#51117259)

    Seriously, how can this still be possible?? Don't developers ever learn? Use / develop a secure database driver and let ALL your database queries go though that driver. And when I say ALL, I actually mean ALL!!! We've had SQL injections 20 years ago. There is no excuse to have your application vulnerable for this ancient shit! Really.

    I know that my rant tells nothing new, but as a security professional, this shit is really starting to annoy me. I see this shit every week. And because of developers not being able to write secure code, companies get hacked, personal information gets stolen, governments act tough and come up with all sorts of security theater bullshit which results in my privacy getting invaded. So, yes, incompetent developers fucking their shit affects me personally! I really hate incompetent developers...

    • I'm surprised that they haven't made a database driver that requires you to use parameters for all queries. Basically the query should refuse to run and throw an exception if it finds a place where you provided a literal value instead of providing it via a parameter.

      The entire idea of even having an "escape string" function is stupid because there will be places where people forget to use it. Especially when there are cases where you're not supposed to use it, such as when you have a variable that represen

      • It's not something the driver can sensibly do. It would have to host a full-blown SQL syntax parser to do this.
        • Doctrine 2 has this. It's a Lexer/Parser combo, not just a parser. In Doctrine 2 the dialect is DQL which is transformed to SQL for the particular driver dialect. I understand there are several ORMs across the languages but Doctrine 2 stands on top.

    • Except I don't think this is actually an SQL injection and so you could have the most secure database driver with prepared statements and all of that jazz and it probably wouldn't matter.

      It looks like (the details I've read are pretty slim) it's actually a php object injection [owasp.org]. Apparently, this has happened to Joomla before [karmainsecurity.com].

      Basically it sounds like the useragent string is stored in the database correctly (but unverified and/or unsanitized) and then other code is pulling it from the database and trusting tha

      • by Tablizer ( 95088 )

        Except I don't think this is actually an SQL injection... it's actually a php object injection...

        While I usually remember to sanitize strings, situations often occur where you need legitimate punctuation or character patterns that you didn't or couldn't anticipate up front. It then errors out and makes the developer, me, look bad.

        Can one anticipate all legitimate future User-Agent string patterns up front? Who knows what wazoo devices will be invented in the future.

        Basically one is weighing an approximately

        • by AC-x ( 735297 )

          Basically one is weighing an approximately 1 in 100 chance a hacker getting in from an injection attack versus roughly a 1 in 5 chance that scrubbing will create practical problems for legitimate users (considering all the data collected from multiple sources and fields over time).

          What practical problem could treating something like a user agent string as a raw string value possibly cause?

      • Hmm, you're absolutely right. I must admit that I didn't read the article well enough. I guess I've grown too tired of this shit to read it all carefully. However, it doesn't really matter. SQLi, XSS, CSRF, file inclusion, remote command execution, it's all the same shit to me. Incompetent developers only caring about getting it to work, not knowing what they're actually doing. The result of their fumbling is still the same.
    • by slazzy ( 864185 )
      Correct, there's even ways to spoof an IP address and turn it into an SQL injection. Poor bobby tables.
  • Really, this is old, well known, easy to avoid. People that make mistakes like this have no business programing. The real problem is very likely though that management hired the cheapest people it could get.

    • Really, this is old, well known, easy to avoid. People that make mistakes like this have no business programing. The real problem is very likely though that management hired the cheapest people it could get.

      It's an open source project. There's no hiring people involved. Read up before you comment.

      • by gweihir ( 88907 )

        Not really that much different. There is letting people with no clue contribute involved. Also quite a few contributors to FOSS projects _are_ hired, most not by the project itself, but sometimes even that. But I guess you did not know that little well-known detail.

  • Really, it's astounding that after all this time, major software apps still don't sanitize their input.

    It'd be hilarious if it wasn't so sad.

    There are dozens of decent sanitizer scripts and utilities out there, FFS, pick one and use it.

    • I don't sanitise my input. I sanitise my output. And you should too.

      Besides, "sanitise" is the wrong word. "Escape" is better. "Sanitise" tends to be irreversible. If it fails, you can try to do a post-mortem and still have no clue what went wrong since sanitising threw away everything important.

  • succuri did something other than fuck up my favorite forums? Finally!

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...