[pLog-svn] [Lifetype Vulnerability] Very Serious File Disclosure Problem (read passwords/config whatever you want)

Matt Wood matt at woodzy.com
Wed Feb 14 09:06:59 EST 2007 

It has to be relative because of smarty. And some smarty installations have
a "secure mode" (like lifetype.net) that won't allow access out of a
specified sandbox.

The real major danger I see is revealing the db password. And if your shell
pass happened to be the same as that password, you are toast.

If the sandbox is not enabled, an attacker could read any page they wanted
on your server like your httpd conf and such.

On 2/14/07, Jon Daley <plogworld at jon.limedaley.com> wrote:
>
>         "infected" is probably the wrong word.  But, you can check if
> anyone has used it on your server, by running a command like:
>
> find -name access.log\* -exec zgrep rss \{} \; |grep "\.\."
>
> I wrote something like this to check my servers last night.
>
> The basic idea is that someone can use the rss parser to read any file on
> your system - hrm. does it have to be relative?  maybe /etc/passwd
> would work as well?
>
> On Wed, 14 Feb 2007, Ammar Ibrahim wrote:
>
> > Can we have more info about this Vulnerability? I want to check if our
> > servers are infected with it,
> >
> > Ammar
> >
> > On 2/13/07, Matt Wood <matt at woodzy.com> wrote:
> >> Dev List,
> >>
> >> There exists a very serious file disclosure vulnerability within the
> RSS engines that allows anyone to read the contents of files considered to
> be secure.
> >>
> >> I highly suggest that everyone turn off all RSS off at the moment.
> >>
> >> I also suppose you will want to let other people know, I don't really
> have the time to mess with the forums warning people.
> >>
> >> Oscar / Jon, I will contact you separately later tonight as this
> vulnerability compromises  www.lifetype.net... and I don't really want our
> new server to get hosed.
> >>
> >> -Matt
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >>
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Some day my boat will come in, and
>    with my luck I'll be at the airport.
> -- Graffiti
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20070214/ad765f7f/attachment.htm

More information about the pLog-svn mailing list