ShoutPro Vulnerability Currently Causing Issues For Websites

| | Comments (0)
I've seen a few sites mention that they had to remove a Shoutbox recently due to people exploiting it in some way, shape or fashion. Curiously, while wading through the recent batch of 419 scams I happened to come across an IRS Phish which seemed strangely out of place.

Here's what the Phish mail looked like (promising a tax refund of $600+, naturally):

irsphish.jpg


Click to Enlarge

Clicking the link doesn't take you to a fake IRS page - instead, you see this:


irsphish2.jpg


I decided to contact the site owner and see if he had any further information on what happened. A portion of his response said:

I was using ShoutPro 1.5.2. It looks like the attacker was able to exploit the shoutbox in some way because he created (or uploaded?) a number of files to the server. The most dangerous of these was a script called nsTView, which gave the attacker full access to all my files as well as the ability to run unix commands on my server. I got lucky.. since he was running the script from a subdomain, he was only able to actually access files within [URL REMOVED], though he was able to view file lists of files from any directory on my site, and maybe view them using shell commands.

...ouch. You can see an example of NSTView at work here, complete with screenshots (scroll down). As for the type of Shoutbox used, the version number given is significant.

The reason? Well, ShoutPro 1.5.2 has a known issue that was discovered back in 2007 which could allow potential attackers to inject and execute arbitrary code:

Description:

ShoutPro 1.5.2 fails to fully sanitize user input ($shout) that it writes
to the shouts.php file when adding a new message, this can result in the
injection and execution of arbitrary php code.

Scope:

The vulnerability will in most cases allow an attacker to execute commands
on the system, the issue may be further perpetuated if the user has followed
the official documentation and chmoded the base folder to '777'


The question is, are the attackers responsible for the current crop of Shoutbox attacks using the above exploit, or something new? It seems odd that a whole bunch of people would suddenly decide to start using a year old vulnerability, but more information is thin on the ground at the moment.

A further complication is that ShoutPro is no longer maintained - all you can do is download the files and install as needed. Worse, if you go to the Download page, the current version available is.....you guessed it....

shoutno.jpg


........whoops. If everyone is still downloading this version and there's potentially fresh exploits in circulation (with nobody to fix the issue in the ShoutPro code that's causing these hijacks), it's clear why so many people are currently being hit by this.

As the individual I contacted said:

Since the shoutbox caused the security hole, the only way to prevent further damages was to completely delete it.

To me, given the fact that there's no support for this product anymore, I think I'd have to heartily endorse that advice. If you're running a Shoutbox, make sure you know what kind of Shoutbox you're running, what version and if you consider the risk of what's happening above taking place on your website or server to be acceptable or not...

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on June 26, 2008 11:22 AM.

Your 419 Mail Roundup was the previous entry in this blog.

Bizarre Forum Spam is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.