Hi
Can you please look at here:
http://www.miliwoman.com/Press on links in LATEST UPDATED GALLERIES
I guess someone hack Zen and add this to the albums paths:
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
And such crappy URLs outputs through this function only:
`<?php printLatestUpdatedAlbums(6,true,false,false,'','',90,90,true) ?>`
http://www.miliwoman.com/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀/Germany/ArmyOther paths are fully OK
And I cannot find this in Admin panel, I can remove it through database only
Very strange
Zenphoto
Comments
http://www.zenphoto.org/2008/08/troubleshooting-zenphoto/#29
I have no such file at all - album_image_plugin.php
And yep I set 660 files/770 directories
I would also suggest you contact your host about that. It may be the case that the hack took place via your accout or the server in general and not via zenphoto. Please also read this recent thread: http://www.zenphoto.org/support/topic.php?id=4656
It looks like someone added info directly into database
>I would also suggest you contact your host about that
Unfortunately it's not a host, it is dedicated server :-)
http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png
And I can delete all this strange info through database only
I'm sorry, but no, all folders in `albums` directory does not contain any folders with name:
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
All directory structure not touched.
Changes take place in DB only.
I hope what it is my mistake and ZenPhoto has no security bugs
>you where not playing around with UTF-16. I got some similar strange things when I >did that the other day.
I'm not play with UTF-16 or something similar, character encoding, in Admin panel, set as UTF-8
>sbillard
I have such paths in DB ONLY (zp_albums table):
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
/Austria/Police
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€/Denmark/Army
There are no such Chinese folders at all. And this paths appear for `printLatestUpdatedAlbums` ONLY. So if this is not a security bug I do not know what it is...
I was change all possible passwords, check files/directories permission etc.
But it doesn't help
It is very doubtful. Mysql use only internal IP, especially it look strange after I was change all passwords.
Someone found a way to add data in zp_albums table:
http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png
and `printLatestUpdatedAlbums()` perceive this rows as Latest Updated Albums and display it.
Thank you, may be what this can be affected on many installed ZenPhoto
>I really doubt it is the printLatestUpdatedAlbums function the leak must be somewhere else.
Yep, it just Read and Output data.
Attack continue, here is part of dump with new "hack" records:
http://www.miliwoman.com/dump.sql
Too many work for human, I guess it some "hacker script" do this.
Maybe it help.
P.S.
Maybe give `zp_albums` table read only rights?
http://www.xakep.ru/post/41761/Zenphoto-SQL-Injection-Exploit.txt
Look like someone found a similar vulnerability :-(
http://www.miliwoman.com/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀愀琀椀漀渀⸀挀漀洀⼀瀀愀最攀愀搀⼀猀栀漀眀开愀搀猀⸀樀猀/Hong.Kong/
In `zp_albums` table appear 2 rows with this paths
if someone will open this link in `zp_albums` table appear 93 row, all my albums.
http://www.miliwoman.com/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀
Yep, I was right, this is Easter egg
http://www.zenphoto.org/zenphoto/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀
or
http://www.zenphoto.org/zenphoto/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀/impressionists/Monet+-+sunrise.jpg.php
Links works pretty fine.
It ever works with ZenPage
http://zenpage.maltem.de/栀琀琀瀀㨀⼀⼀瀀愀最攀愀搀㈀⸀最漀漀最氀攀猀礀渀搀椀挀/Screenshots/Admin-backend/
I just checked my database on the Zenpage site and if using this link it really adds to the database. Now we need to find out why it does that. I have opened a top priority ticket for this issue. Thanks for the help so far.
It's not SQL-injection per se as nothing malicious is being inserted (this is normal Zenphoto operation, but with a bug that allows more "albums" to be created in the database), but it's still a problem due to the large amounts of data that take up space, etc.
We just need to improve the filtering code to handle cases like this. It may be that it's simply ignoring UTF-16 characters in the PHP string but passing them on to the database. Could be anything, but with these test cases it shouldn't be too hard to filter out.