Vbull Forums folder being moved to data folder and renamed as .jpg

bloodydecks · July 22nd, 2006, 04:58 AM

Wierdest thing I have ever seen. I don't know how this is happening.

My vbulletin forums directory gets moved and renamed to a .jpg file in the classifieds/data/10 folder.

The .jpg names are all in order accept one file is huge. When opened WOW there is my forums folder with all the files inside... WTH is going on?

The server logs show NOTHING funny is going on. I've been trying to figure out how I was getting hacked for the last two weeks.

Finally did a search for a file I knew was in my forums directory and found those files in my Classifieds...

IIS 6.0
vb3.5 intergration
Default photopost classifieds 2.5
PHP Version 5.0.5

Chuck S · July 22nd, 2006, 06:08 AM

Sounds to me like some weird IIS permissions mess up. I have seen this once or twice over the years but it is never reproduceable by anyone.

Make sure your data directory of classifieds is set to every level READ WRITE EXECUTE. Try installing Imagemagick on the server is you can instead of using GD2.

The key here is the only info I have ever been given by the one or two people is this happens when PHP whacks out on the server maybe from a big file upload.

bloodydecks · July 22nd, 2006, 11:45 AM

Okay replicated it. It happens when an admin has two windows open in IE. 1 in the admin control panel for classifieds and the other uploading an ad with pictures.

The admin that was on at the time it moved the vbull forums directory again.

Quote:

only thing I was doing is I had the admin page open in one window...and I was uploading two images for an ad in another window. first couple of times it was fine....then it all the sudden barfs
wasn't trying anything extra just named the ad, located the images, 1 dollar for the price and test for the description

bloodydecks · July 22nd, 2006, 12:10 PM

I installed Imagemagick. See if that takes care of it. If not then I'll can the software. 15gig restores on my forums folder are not quick...

erica j · July 24th, 2006, 05:01 AM

We have been having the same problem with a vbulletin integrated system. I finally found the renamed folders too.

Having spent the weekend hunting for file-system and shell commands in the software I found a problem in the handleupload() function in the image-inc.php file:

if ( !file_exists($newfilepath) ) {
@rename($filein, $newfilepath);
$realname = $newfile;
$dst_file = $newfilepath;
break;
}

If you upload a picture whose name is already used in that category, it tries adding 1, 2, 3, ... etc on to the end to find an available name. This is then checked by the !file_exists($newfilepath).

Once a valid name has been found it updates the variables and breaks out of the loop, in order to do a move_uploaded_file().

I think you will find that the directory names are all things line shoe1.jpg, shoe2.jpg, not shoe.jpg - as only happens when this code is being triggered.

The $realname = $newfile and $dst_file = $newfilepath are fine - just setting the right variables to copy the temporary file to the desired location.

But the @rename($filein, $newfilepath); is a problem.

It seems to be a poor copy from the bulk-upload function, where rename($filein,$newfile) is appropriately used in similar circumstances.

Here $filein is uninitialised in this routine, and the rename is to $newfilepath - the fully qualified path name e.g. ...\data\25\flower1.jpg or whatever instead of just the revised filename, flower1.jpg

In PHP 'rename' is quite capable of moving an entire directory structure, so here is a line that tries to move something undefined to the data directory, with a picture name file in the way people have found.

I suspect for some reason $filein is ending up referring to the base forum directory (perhaps depending on end slashes in the config-intc.php or other issues). So we end up with the effect of moving forum to data\25\flower1.jpg

Certainly a rogue command that is trying to move something to exactly the right place looks like a good candidate. and iIf I am right, the solution is simple - just delete the @rename. It is not needed at all.

I will find out today when the hosts take off the heavily permissions we have been using to stop the forum going down.

Even if this is not the cause of the problem it needs fixing. There is a big potential security hole here - I have been wondering whether I could get a ad to present non-picture info with some kind of
uploadproduct.php?filein="c:\wwwroot\secrets.txt" exploit

Regards

Erica

erica j · July 25th, 2006, 06:13 AM

Well, having applied the fix described above we have been running for 24 hours with no problems. So I am increasingly confident that the diagnosis was correct.

Any comment from the developers on the security issue?

EJ

Chuck S · July 25th, 2006, 08:24 AM

Well as stated seems to only be on one or two windows setups and why it happens no one knows yet

My suggestions would be to simply as a safety check define $filein like in bold here in image-inc.php. We could use also is_file instead of file_exists but this has never been an issue in the mix.

Code:

Content visible to verified customers only.