After having updated core and all modues to the latest - been keeping an eye on the Admin log to see if an injection attacks are getting deeper in to the system than perhaps they out to ..... by sifting through the HTTP access logs I can see that this is the URL that still triggers the error message in the admin log
Code: Select all
index.php?mact=LISEVacancies,cntnt01,detail,0&cntnt01item=care_assistant&cntnt01template_summary=AC Welcome&cntnt01detailpage=vacancy-detail-page&cntnt01template_detail=/etc/passwd&cntnt01returnid=29
It is a call to display a page that contains data from in a LISE instance using what ought to be a specific LISE detail template - but note the injection hackers are messing with the template name - they are trying to do an OS injection via /etc/passwd as the template name. Bit surprising that it gets as far as /lib/classes/internal/class.Smarty_CMS.php where it fails some validation in "create template" causing a SMARTY dump (good that it simply fails validation rather than in a SQL call etc - but this seems about 3 or 4 steps late in shutting down this abuse. Here is the SMARTY trace
Code: Select all
#0 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/class.Smarty_CMS.php(365): Smarty_CMS->createTemplate('module_db_tpl:L...', '', 'LISEVacancies', Object(Smarty_CMS))
#1 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/module_support/modtemplates.inc.php(174): Smarty_CMS->fetch('module_db_tpl:L...', '', 'LISEVacancies')
#2 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(2647): cms_module_ProcessTemplateFromDatabase(Object(LISEVacancies), 'detail_/etc/pas...', '', false, 'LISEVacancies')
#3 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/framework/action.detail.php(176): CMSModule->ProcessTemplateFromDatabase('detail_/etc/pas...')
#4 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/lib/class.LISEInstance.php(536): include('/homepages/38/d...')
#5 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(1479): LISEInstance->DoAction('detail', 'cntnt01', Array, '29')
#6 /homepages/38/d242029264/htdocs/acgtest/lib/page.functions.php(550): CMSModule->DoActionBase('detail', 'cntnt01', Array, '29', Object(Smarty_CMS))
#7 /homepages/38/d242029264/htdocs/acgtest/index.php(156): preprocess_mact('29')
#8 {main}
At step #5 in /lib/classes/class.CMSModule.php(1479) ; just prior to this in lines 1446 and 1457-1461 some URL parameter clean up is done in the core but clearly is failing to trap the "/etc/passwd" string which seems odd - I think any URL parameter containing "/" ought to be cleaned/rejected.
I am not sure what ->_cleanParamHash does I will review that next