By: Emmanuel DeFreitas

iframe injectionYou can imagine my surprise when I logged into one of my Article Dashboard scripted sites, and found that I had a warning from Geocities stating that I had exceeded my bandwidth and my site: http://geocities.com/MarinoCorbie2838 was shut down. Who the hell is Marino Corbie? You see, my site is an Article Dashboard scripted site that is not hosted by Geocities! My site, ADB Article Directory, http://www.adjustable-bed-center.com/adb/ , is hosted at Hostgator.

I immediately got on the phone and called customer service to see if I could get to the bottom of this. After a few minutes of explaining using  my befuddled, non-technical terminology, the pleasant young fellow at the other end of the line got cracking trying to figure out what was wrong. Fifteen minutes later, he had come to the conclusion that there was nothing he could do and suggested I fire off a support ticket.

A support ticket was submitted and I eagerly awaited my fate.  I had received my first response in rather short order. It stated “It seems that particular file (index.php) has been exploited using iframe injection, I’m escalating this to the appropriate department so they can further investigate this issue. If theres anything else we can assist you with please let us know and we’ll be glad to help.” WTF…excuse my French…is an iframe injection and since it was now being “escalated to the appropriate department” I thought there was definitely something serious going on here.

I Googled “iframe injection” and after reading a ton of stuff that I had no clue about, I came to the conclusion that my site had been attacked by some knuckle dragging motherless a-hole with too much time on his/her hands.

The next day, I checked my email for an update and sure enough, Hostgator had sent me the following: “ This is an exploit in the article directory software itself. Please check :

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4333

 Your header.tpl was changed due to this. I have removed this iframe now from the header file. You need to replace the header file from any backup you might have or fill in hostgator.com/restore.php to have us do it.” Well, there it was. All I had to do was change my header.tpl file and everything would be fine. Right? Wrong!

I changed the header.tpl file from a backup and my homepage showed up just fine but all my articles had disappeared and the other pages were all a jumbled mess. I had what was essentially a live website with nothing but garbage being displayed. After firing off another email to the troubleshooters at Hostgator, they suggested that I restore my site from their last stored backup. I paid my $15 fee for the backup service and my site was restored to the way it was about one week ago. I had lost any authors, articles or changes that had been made during that week and paid for the process. I immediately wished a horrible agonizing death on whoever had initiated this process.

I sent one more email to Hostgator asking them what, if anything, I could do to prevent this from happening in the future. I received the following response:

“The best way to prevent this from happening is to make sure the software you use is up to date. This applies to all software you install and use within your account, this also includes using fantastico only if you have to. The problem with fantastico is that the developers of this product have to support so many different applications that they are usually behind on the latest updates. We can’t really do anything about that as we don’t develop the software. For optimal security I recommend the following:

1. Install software from the latest version off the developer’s site manually.
2. Check this site periodically or use any built in update functions the script may have to ensure you are running the latest version.
3. Stay up to date with news the developers may post or any exploits posted on security sites such as http://www.securityfocus.com/. Some times developers just can’t patch their software fast enough, some developers can’t even fix the exploits in their software between versions. Some software is just poorly coded or supported.
4. There is really no way to prevent all security issues, especially brand new ones that are unknown to the general public (0day exploits) so keeping backups is also very important.”

This is all well and good for software that has updates. Unfortunately, Article Dashboard does not have much in the way of updates or patches and to top it all up, their code is encrypted. Even if someone with the credentials to tweak and improve their code wanted to make improvements, they couldn’t. I certainly hope that a new improved version of this script becomes available soon because when it works, it works fine. There obviously are some things that need to be addressed.

A description of the Iframe injection problem and solution from http://secunia.com/advisories/26163  follows:

Description:
Some vulnerabilities have been reported in Article Dashboard, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed to the “id” parameter in article.php (when “act” is set to “print”) is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that “magic_quotes_gpc” is disabled.

2) Input passed to multiple form field parameters (e.g. “f_emailaddress”, “f_reemailaddress”) in signup.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

The vulnerabilities are confirmed in the version downloaded 2007-07-25. Other versions may also be affected.

Solution:
Enable “magic_quotes_gpc” and filter malicious characters and character sequences in a web proxy.

Provided and/or discovered by:
1) Dino Covotsos of Telspace Systems Research Team, including Charlton Smith
2) An anonymous person

Changelog:
2007-08-15: Added CVE reference.

In conclusion; it’s a jungle out there and it’s full of very stupid, malicious individuals with nothing better to do than make someone else’s life a little harder. It’s pathetic but true.  I hope I have given you a heads-up on this “iframe injection” problem with Article Dashboard so you can avoid the headaches I went through.

Article directory offering Publishers, Webmasters free expert content and free article reprints…Authors …promote yourselves, your site, your products or services by submitting your unique articles. Add your site to our free directory.

Technorati , , , , , , , , , , , ,