Administrator User hacked

Author Message

Peter Meyer-Delius

Friday 13 February 2009 5:25:31 am

Yesterday we received this mail:
--------------------------------------------
A new user has registered.

Account information.
Username: xxxx
Email: [email protected]

Link to user information:
http://www.xxx.de/ger/content/view/full/15
--------------------------------------------
15 is the Node-ID of the Default Administrator User that is created during the installation-process. Indeed the Username, Password and Email-Adress of this User was changed, but the user was deactivated.
We checked the server log-file and noticed that the page
http://www.xxx.de/site_admin/user/activate/3b61b269963793693cbdd42ee4c9088b
was requested 300 Times with different hash-keys.
We suggest that the attacker somehow managed to change the Administrator User via the registration function and after that tried to activate it with a script which generated the hash-keys.

Has anyone similar experiences or any hints??

Best regards,

Peter

Gaetano Giunta

Friday 13 February 2009 5:50:35 am

Could you please post an issue in the bug tracker, tagged as 'security issue' and add as much information as possible in there (it will be kept private)?

If your analysis is correct, an attacker somehow managed to change an existing user email/password, but not to activate it by clicking on the correct activation code.
This means that either he did not received the email with the validation code because your site is configured not to send those emails, or because the action of modifying the users config did not trigger a generation of a new user-activation key...

It would especially be interesting to get the access logs of the server. Plus the eZP version you are running, of course, and any configuration details.

Principal Consultant International Business
Member of the Community Project Board

Steven E. Bailey

Friday 13 February 2009 6:34:18 am

I don't know if the user activate stuff in your logs is something new or if it is unrelated but for the administrator user, depending on what version of ezpublish you are running and if you have user register enabled, it can be hacked using:

http://packetstormsecurity.org/0812-exploits/ezpublish-escalate.txt

It is important to upgrade.

Certified eZPublish developer
http://ez.no/certification/verify/396111

Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com

Peter Meyer-Delius

Wednesday 18 February 2009 6:24:10 am

Thank you for your fast feedback.
We disabled the user-registration and deleted the default admin, so that the ID of the Administrator User is not obvious.
We did not have any attacks again. We will wait and see.

Best regards,

Peter

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.