Hi
Can you please look at here: http://www.miliwoman.com/
Press on links in LATEST UPDATED GALLERIES
I guess someone hack Zen and add this to the albums paths:
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
And such crappy URLs outputs through this function only:
``
Other paths are fully OK
And I cannot find this in Admin panel, I can remove it through database only
Very strange
Very strange indeed. How does the function itself in the album_image_plugin.php file look like? IF that has been altered by someonme you should be able to remove this by overwriting that file with the actual one. Also please read this:
http://www.zenphoto.org/2008/08/troubleshooting-zenphoto/#29
Sorry, the file is actually named image_album_statistics.php, thought you know/see what I mean, it's within zp-core/plugins
I would also suggest you contact your host about that. It may be the case that the hack took place via your accout or the server in general and not via zenphoto. Please also read this recent thread: http://www.zenphoto.org/support/topic.php?id=4656
Screen from DB:
http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png
And I can delete all this strange info through database only
This means that someone has hacked your filesystem.
I'm sorry, but no, all folders in albums directory does not contain any folders with name:
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
All directory structure not touched.
Changes take place in DB only.
I hope what it is my mistake and ZenPhoto has no security bugs
olihar
you where not playing around with UTF-16. I got some similar strange things when I >did that the other day.
I'm not play with UTF-16 or something similar, character encoding, in Admin panel, set as UTF-8
sbillard
I have such paths in DB ONLY (zp_albums table):
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€
/Austria/Police
æ €ç€ç€ç€€ã¨€â¼€â¼€ç€€æ„€æœ€æ”€æ„€æ€ãˆ€â¸€æœ€æ¼€æ¼€æœ€æ°€æ”€çŒ€ç¤€æ¸€æ€æ¤€æŒ€æ„€ç€æ¤€æ¼€æ¸€â¸€æŒ€æ¼€æ´€â¼€ç€€æ„€æœ€æ”€æ„€æ€â¼€çŒ€æ €æ¼€çœ€å¼€æ„€æ€çŒ€â¸€æ¨€çŒ€/Denmark/Army
There are no such Chinese folders at all. And this paths appear for printLatestUpdatedAlbums ONLY. So if this is not a security bug I do not know what it is...
Maybe the mysql-account has been hacked then? Is there anything strange in your server logs? I currently don't see that the function printLatestUpdatedAlbums() could be the cause as this function just returns what is already in the database. But we of course need to find that out.
Maybe the mysql-account has been hacked then?
It is very doubtful. Mysql use only internal IP, especially it look strange after I was change all passwords.
Someone found a way to add data in zp_albums table:
http://pixhost.ws/avaxhome/b5/2e/000b2eb5.png
and printLatestUpdatedAlbums() perceive this rows as Latest Updated Albums and display it.
Well, we really need to find out the way this data gets into your database.
Thank you, may be what this can be affected on many installed ZenPhoto
I really doubt it is the printLatestUpdatedAlbums function the leak must be somewhere else.
Yep, it just Read and Output data.
Attack continue, here is part of dump with new "hack" records:
http://www.miliwoman.com/dump.sql
Too many work for human, I guess it some "hacker script" do this.
Maybe it help.
P.S.
Maybe give zp_albums table read only rights? And change it before gallery update
Yes it's already fixed, but anyway here it is:
http://www.xakep.ru/post/41761/Zenphoto-SQL-Injection-Exploit.txt
Look like someone found a similar vulnerability :-(
Found another strange regularity, as always as I open similar URL:
In zp_albums table appear 2 rows with this paths
Look like Easter egg ))
if someone will open this link in zp_albums table appear 93 row, all my albums.
Yep, I was right, this is Easter egg
or
Links works pretty fine.
It ever works with ZenPage