Serious Security Breach on FlexiContent?

Hi,

I have just been told by my hosting company that the flexicontent component has a security hole in it and allows spammers to use the domain then for spamming emails everywhere.

I had the account suspended and had to remove flexicontent.

Does anyone know of this?

I'm on the latest version 1.5.2

.
Some actual evidence would be helpful.

What specifically did they find?
Server log entries, files hacked, etc.?

If there is an actual issue,
I am sure people here would like to know all the information to fix it.

.

They didn't fix it hence trying to warn everyone and developers to a potential problem.

All I got was an email and I uninstalled flexicontent to counter the problem. It worked nothing spammed now.

EMAIL from hosts with detail removed
From: SUSTAINABLE DEVELOPMENT AGENCY <no_reply@no_reply.org>
Reply-To: jobrecruitment@unsda.org
MIME-Version: 1.0
Content-Type: text/plain
Message-Id: <E1OHMoW-0008Bj-5h@domain.com>
Date: Wed, 26 May 2010 15:02:52 -0500
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - domain.com
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [1629 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - domain.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php
/home/username/public_html/components/com_flexicontent/librairies/phpthumb/m.php

X-Source-Dir:
domainname.co.uk:/public_html/components/com_flexicontent/librairies/phpthumb
x-aol-global-disposition: G
x-aol-sid: 3039ac1d601f4bfd7e6c5160
X-AOL-IP: 74.54.71.139
Content-Transfer-Encoding: quoted-printable
X-Mailer: Unknown (No Version)

But my hosting company said the problem was the component and unless there was an update for it I will have to remove it to get my account un-suspended.

salid wrote: ......
X-Source-Args: /usr/bin/php
/home/username/public_html/components/com_flexicontent/librairies/phpthumb/m.php
...

There is no such file (m.php) in FLEXIcontent.
You should have saved this file so you could look inside.

There is a server hack going around which adds such randomly named files which do the actual emailing.
GoDaddy has been particularly hard hit.
The files have some base64 encoded code inside.


Usually there are multiple files added.
You will need to check your entire installation.
One way to check is to download all server files via FTP and
locally run a search within all files for "base64_decode"

There are ongoing discussions in the Joomla Security forum.
You may want to take a look there.

Last time I looked the exact method of the hack had not yet been determined.


.

Hi there,

I just got back to working on a site with FlexiContent, and have found that my ISP ( or someone or something? ) has removed all permissions ( 00000 )to the - components/com_flexicontent/librairies directory.

I have not had any emails as they go directly to the client who is not great at looking at things, but I am guessing it has something to do with this.. so I will investigate furthur, but wondering if there is any more discussion here with this.. or if anyone has any more details..

If this a phpthumb problem - and therfore a FlexiContent problem (ie: what do we use if we cant use this to gen thumbnails , a joomla problem, or something else?

Any thoughts, suggestions, information in what the hack is ( what can I search for in the Joomla forums) etc would be great!

Many thanks in advance

Michael Tull

did you see this ?
<!-- l --><a class="postlink-local" href=" www.flexicontent.org/phpbb/viewtopic.php?f=16&t=2486 ">viewtopic.php?f=16&t=2486
regards