compromised ?
so i went to make a new post here at unacms.com, and on una site i found that SOMEHOW someone from spammer world injected all these attachments...into the make new discussion field, before i even had made a post.
this is actually a big deal.. because it means that people can inject attachments remotely somehow.. i did not upload these. look at what they did.. i scroll down in the video attached.. i did not put ANY of that here, and these are NOT files that exist on my device. i copied one of the urls so una team can investigate server logs and how this was breached..if they wish to investigate.
again to be clear i went to make a post and all these attachments were already there, none of them were mine, and i could not delete them by clicking delete.
a url from the attachments: unacms.com /s/bx_forum_files/2jufya7znkqc5eywts7rtmx3pehsm6ey.mp4
Anton L Alex T⚜️ LeonidS (this is very important one.) (in bold)
attach video show all the images and videos the spammer somehow injected into the empty post...
-
That could be an issue. So I did notice a weird bug a while back. If someone starts a post and adds attachments and then abandoned the post.
When the next user tries to make a post, those same attachments will auto load.
I didn't report it as I know it probably wouldn't be investigated.
There have been a few spammers around here these days so I'm not sure.
-
Needs to be addressed and fixed for sure.
-
my big concerns when seeing this were the following:
- if someone can inject attachments into the post editor, then the aspect that is insecure needs to be discovered,
because it may be possible to exercise privlege escalation and overload php via exec, and then start to traverse and modify the rest of the server,
once it's hacked, its hacked. its hard to fix you have to restore from backups on the back end and it's ugly because code could be hiding ANYWHERE.
- ive been leary of having php exec enabled period from day one, and wonder if una can run without php exec... -
-
that could very well be a caching issue if there is only one instance of phpfpm allowed on the server, and no children or all children are tied up and max servers is set too low, then if the una code doesnt check certain elements it may try to dump the attachments of the abandoned post ,
but there really are about 20 different reasons this could happen.......
-
I personally think that the attachments are other members' attachments and they became mixed into one somehow. This is an issue.
-
And thank you for the video, it provides an in-depth detail of the issue.
-
we will have to wait to find out, i did find the entire thing very very strange though, and welcome :) !
-
I think all is normal, it maybe you logged out (or the system logged you out) as the result you could see all images which have no association with any profiles. In normal situation it should never happen. For now I've deleted all these unassociated images.
-
iiiinteresting. i reloaded the page afterward and made a post without logging back in.. but this does make me wonder. eh, i just was hoping nobody had gained access through php_exec . while we're here, does una use a "windows on windows" platform emulator ?
-
does una use a "windows on windows" platform emulator ?
Sorry, I don't quite understand what you mean.
-
my friend that worked at Cisco for a decade or so and I were talking, and I was discussing my Una site with him.
I mentioned that when you upload a photo for profile it says C:/fakepath etc..inside of an Una site......and so he said i wonder if that software runs an emulation layer.. of some kind..
we were discussing the ffmpeg.exe strangeness. no unix file should ever be called .exe ever. that is a windows issue. and as it currently stands, una cannot determine that ffmpeg.exe chmodded to 777 a+x is actually executable, unless you add .exe to the end of it.. which, breaks what i've known about unix and linux for over the last 20 years.
so these strange behaviors made me to think there is a windows emulation layer running in the una software of some sort.. -
It is much more simpler :-) Yes, Linux doesn't care about file extension but Windows does and this trick with the extension allows to get rid of the less action when UNA is installed on Windows. No need to correct any file path, just enough to replace the FFmpeg.exe file. Fakepath is the usual way to hid the real server path from the too much curious users.
-
OH OKAY. the fakepath obscures the real path because you modded uploadify to use the "server uploading" feature.. okay.. :) i was worried i was running code based on a platform emulator 🧐🤣 i dont do windows. nothing against windows users, i just .. since 2006 have steered as far away from it as possible,. thank you for the clarification LeonidS .
is IIS still what they're calling windows "web server" ? or does it have a cool name now like "discover" to match "edge" ? *grins* -
Yes, it's strange but they left the "IIS" title ;-)
-
