Security hole found into Sximo

Hello, just wanna share you that bad info

i just found out that the core, has a bad security hole, all related to UPLOAD File

in fact Upload Avatar / File manager are not protected Module

people can upload php file and execute them without restriction.

I will check out for fix it or will disable it on my reloaded demo/git version

but you can avoid this (temp solution) by adding some line to your apache.conf configuration file (thanks to a friend who told me how to do it).

  <Directory "/var/www/webs/web1/yourdomain/public/uploads">
        <FilesMatch "(?i)\.(php|php3?|phtml)$">
            Order Deny,Allow
            Deny from All
        </FilesMatch>
  </Directory>

reload/restart your apache it will be a temp solution for your script for now

hope it's help

Creed
Creed
  • 1 year ago

Thanks for this update!

Creed
Solution

I removed Elfinder module as it's bad idea for now to have it

still have to fix Avatar Upload

I emailed Mango as i did test on his forum and i found out who hacked him used c99.php file by uploading from avatar

the bad part is that now this guy dump all mango database (the file is on his domain actually) and all our INFO are here

mean our name mail password that we put when we register on his forum ><

so i suggest you all to change your password there(on mango website) with a basic password because if the hacker dump again he will get the password that you use usually and will try log like codecanyon or whatever with your account

as this guy will maybe come here, below the one who hacked mango this december, and actually he still has access to his Public_HTML Folder, as i saw the file (that php script) still present into his user's folder

'[email protected]', 'andi', 'kurnia', '2128.php3'

hope mango will get that asap and when all is clear we will have a better script

so be carefull guys (i got hacked also 2 times last years and didn't find out that it was from sximo code)

now i found out why so we can stop hacker :)

Thanks for letting us know about this vulnerability!

mzm said:

Thanks for letting us know about this vulnerability!

You are welcome

I just update the git repo with the fix that will Check upload file type before save it into your users folder and in case it's doesn't match the type file it wont let you save your avatar

Hi Creed,

I have bought Sximo5. I don't find the way to get the fix from Github. I have seen is private and that you have to add me to the list of users who can see it. Can you tell me where I have to write you to send you my proof of purchase so you can add me to the git?

Thxs in advance, Ariel

Hello you can send me proof from images taken on your dashboard from codecanyon and send to [email protected]

Hi Creed, Thanks for the answer. I sent you an email to the address you told me with the proof of purchase. Ariel

arpero said:

Hi Creed, Thanks for the answer. I sent you an email to the address you told me with the proof of purchase. Ariel

Yeah but you didn't send me what i requested for be granted to the repo

I only grant access to Custormer with Sximo 5.1 LTS License + Ajax License + Rest API

But i will remove Rest Api requirement as no one used it

so if you have Sximo 5.1 LTS + Ajax license provide me those screen and i'll add you

The reason of that is because on Repo i use Sximo 5.1 LTS + Ajax already implemented to the Core

Hi Creed,

I didn't know the Ajax module was needed to have access to the repo. I just bought it. I've sent you the mail again with the images.

arpero said:

Hi Creed,

I didn't know the Ajax module was needed to have access to the repo. I just bought it. I've sent you the mail again with the images.

you got granted

Got it! Thanks

PERFECTO !! thanks a lot Mate

I also got hacked 2 times. I always thought it was the Wordpress installation. Now I am sure it was Sximo, because I also had those c99.php files.

I am no programmer. Is there a file that I can download and replace to fix the security hole?

thanks

gmmedia said:

I also got hacked 2 times. I always thought it was the Wordpress installation. Now I am sure it was Sximo, because I also had those c99.php files.

I am no programmer. Is there a file that I can download and replace to fix the security hole?

thanks

the fix is already implemented on the git

I dont have the skills to use your git rep.

I thought I just can solve the security hole with a file replacement.

gmmedia said:

I dont have the skills to use your git rep.

I thought I just can solve the security hole with a file replacement.

i did send to you the direct link on your email where i did the fix just check it out and try do the same

the fix is related to :

Fix for Avatar Upload
added Security Check for type file

the fix was to implement the file type check

$this->validate ($request, [
          'avatar' => 'required|mimes:jpg,jpeg,png,bmp'
          ]
);

Hey Creed, I was able to implement your fix.

Thank you very much, for sharing your work for free to us.

Hi Creed!

Is mangopik aware of this security issue? you should work working with mangopik and provide support to his customers as he doesn't provide any kind of support.

rainmedia said:

Hi Creed!

Is mangopik aware of this security issue? you should work working with mangopik and provide support to his customers as he doesn't provide any kind of support.

yes he know about this issue but for now i didn't check his new script i will do next week when i will be back home