Results 1 to 3 of 3

Thread: Vulnerability in old version of TYPOlight

  1. 03/02/2011, 12:01 #1
    mikiemike600
    mikiemike600 is offline
    New user
    Join Date
    03-02-11.
    Posts
    2

    Default Vulnerability in old version of TYPOlight

    I recently noticed somebody uploaded malicious content onto one of my sites.
    It was running TYPOlight Version 2.6.2 (2008-11-01).
    I searched all logs to try to figure out how did it happen but I see no evidence of breaking into the site. All I can see is some malicious scripts in site's DocumentRoot directory and Apache access log records related to executing them by an attacker.

    I did some research on any vulnerabilities of all software running on that server.
    I found out that there was serious vulnerability in this version of TYPOlight (http://www.contao.org/news/items/maj...tall-tool.html) so I bet this could be an attack vector.

    I'm going to have TYPOlight upgraded to latest version on this site anyway but I would like to be sure that it was in fact the weak point attacker exploited.

    Could you guys please point out how can I make sure of it?
    Any particular place in TL db or correlation between db and Apache log entries?
    Any details on the issue so I can at least try to reproduce the attack to make sure it was possible?


    Thanks,
    Mike
    Reply With QuoteReply With Quote
  2. 03/09/2011, 22:23 #2
    mikiemike600
    mikiemike600 is offline
    New user
    Join Date
    03-02-11.
    Posts
    2

    Default Re: Vulnerability in old version of TYPOlight

    Just to close out this subject...

    Everything is clear for me now. I finally managed to find the vulnerability in CMS and exploited it on the test instance of the site to prove the possibility of this weakness to be the attack vector. Then I realized that it couldn't be (assumed that attacker didn't get root account and was not able to tamper with log files) because there was no records of access to vulnerable php file in access log.
    I however found out, that site developer left vulnerable version of phpmyadmin in site directory tree and it was actually the one exploited.
    That is kind of "funny" that the site had 2 critical vulnerabilities left by web site developer.

    What one can learn from this issue:
    I advise all of you guys implementing any kind of software on web site to remember to take care to:
    - immediatelly close all unused interfaces, especially privileged ones (phpmyadmin and typolight/install in this case)
    - keep record of all web applications implemented by you for your customers together with information about used third party software and inform your customers about vulnerabilities found in that software even after expiration of site's maintenance agreement.

    Best regards,
    Mike
    Reply With QuoteReply With Quote
  3. 03/09/2011, 23:02 #3
    ramjet
    ramjet is offline
    Experienced user
    Join Date
    06-20-09.
    Posts
    1,311

    Default Re: Vulnerability in old version of TYPOlight

    Thanks mikiemike,
    good to know :D
    I had to repair eight sites and change hosting providers once due to a Joomla vulnerability
    Reply With QuoteReply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules