Schonhose

Thanks to Dave we found the mentioning of an exploit for the Pixelpost Copy Folder addon. This exploit consists of spoofing some fake administrator credentials so the hacker can try to get the login info from the file “pixelpost.php”. It was uploaded about a month ago (June 9th) by someone called Charles F.

Obviously we patched the svn version as soon as possible but I wanted to comment on the actual chance of getting hacked. To get hacked your server has to have the following options:

• register_globals = On
• Sufficient rights to write a file in the addon folder

Well, let’s comment on the first option, the register_globals setting. In my opinion any host that has set this setting on should be shutdown as soon as possible. Default setting of this option has been off since PHP 4.2.0 and for good reason!

Most hosting companies have setup different users for both PHP and FTP users. The PHP user is the user under which the PHP compiler runs, the FTP user is you uploading the files through FTP. With PHP Safe mode set to on, the PHP user cannot create files in a folder owned by the FTP user (assuming you’re on Linux and Apache). You can test this easily: did you need to set your images and thumbnails folder to CHMOD 777 upon install of Pixelpost? If the answer is yes, there is no way this hack could work on your server.

If the answer is no, you might be vulnerable (especially when register_globals is also enabled). In that case remove the Copy folder addon (“copy_folder.php”) from your addons folder. Chances you do get hacked are small, but better safe than sorry.