Administrator User hacked

Next topic

Author	Message
Peter Meyer-Delius	Friday 13 February 2009 5:25:31 am Yesterday we received this mail: -------------------------------------------- A new user has registered. Account information. Username: xxxx Email: [email protected] Link to user information: http://www.xxx.de/ger/content/view/full/15 -------------------------------------------- 15 is the Node-ID of the Default Administrator User that is created during the installation-process. Indeed the Username, Password and Email-Adress of this User was changed, but the user was deactivated. We checked the server log-file and noticed that the page http://www.xxx.de/site_admin/user/activate/3b61b269963793693cbdd42ee4c9088b was requested 300 Times with different hash-keys. We suggest that the attacker somehow managed to change the Administrator User via the registration function and after that tried to activate it with a script which generated the hash-keys. Has anyone similar experiences or any hints?? Best regards, Peter
Gaetano Giunta	Friday 13 February 2009 5:50:35 am Could you please post an issue in the bug tracker, tagged as 'security issue' and add as much information as possible in there (it will be kept private)? If your analysis is correct, an attacker somehow managed to change an existing user email/password, but not to activate it by clicking on the correct activation code. This means that either he did not received the email with the validation code because your site is configured not to send those emails, or because the action of modifying the users config did not trigger a generation of a new user-activation key... It would especially be interesting to get the access logs of the server. Plus the eZP version you are running, of course, and any configuration details. Principal Consultant International Business Member of the Community Project Board
Steven E. Bailey	Friday 13 February 2009 6:34:18 am I don't know if the user activate stuff in your logs is something new or if it is unrelated but for the administrator user, depending on what version of ezpublish you are running and if you have user register enabled, it can be hacked using: http://packetstormsecurity.org/0812-exploits/ezpublish-escalate.txt It is important to upgrade. Certified eZPublish developer http://ez.no/certification/verify/396111 Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com
Peter Meyer-Delius	Wednesday 18 February 2009 6:24:10 am Thank you for your fast feedback. We disabled the user-registration and deleted the default admin, so that the ID of the Administrator User is not obvious. We did not have any attacks again. We will wait and see. Best regards, Peter