[pLog-svn] [Lifetype Vulnerability] Very Serious File Disclosure Problem (read passwords/config whatever you want)
Jon Daley
plogworld at jon.limedaley.com
Wed Feb 14 09:12:49 EST 2007
Yet another reason to run suphp - (and shadow passwords...) http
conf is not accessible by shell or php scripts. I wonder what webhosts
will do when they find out php6 doesn't support safe mode.
I do agree about the passwords being the same - I hadn't thought
about that case - I generally create the db passwords for my users, so I
make them really hard, and no one in their right mind would use the same
password for their shell or ftp.
On Wed, 14 Feb 2007, Matt Wood wrote:
> It has to be relative because of smarty. And some smarty installations have
> a "secure mode" (like lifetype.net) that won't allow access out of a
> specified sandbox.
>
> The real major danger I see is revealing the db password. And if your shell
> pass happened to be the same as that password, you are toast.
>
> If the sandbox is not enabled, an attacker could read any page they wanted
> on your server like your httpd conf and such.
>
> On 2/14/07, Jon Daley <plogworld at jon.limedaley.com> wrote:
>>
>> "infected" is probably the wrong word. But, you can check if
>> anyone has used it on your server, by running a command like:
>>
>> find -name access.log\* -exec zgrep rss \{} \; |grep "\.\."
>>
>> I wrote something like this to check my servers last night.
>>
>> The basic idea is that someone can use the rss parser to read any file on
>> your system - hrm. does it have to be relative? maybe /etc/passwd
>> would work as well?
>>
>> On Wed, 14 Feb 2007, Ammar Ibrahim wrote:
>>
>> > Can we have more info about this Vulnerability? I want to check if our
>> > servers are infected with it,
>> >
>> > Ammar
>> >
>> > On 2/13/07, Matt Wood <matt at woodzy.com> wrote:
>> >> Dev List,
>> >>
>> >> There exists a very serious file disclosure vulnerability within the
>> RSS engines that allows anyone to read the contents of files considered to
>> be secure.
>> >>
>> >> I highly suggest that everyone turn off all RSS off at the moment.
>> >>
>> >> I also suppose you will want to let other people know, I don't really
>> have the time to mess with the forums warning people.
>> >>
>> >> Oscar / Jon, I will contact you separately later tonight as this
>> vulnerability compromises www.lifetype.net... and I don't really want our
>> new server to get hosed.
>> >>
>> >> -Matt
>> >>
>> >> _______________________________________________
>> >> pLog-svn mailing list
>> >> pLog-svn at devel.lifetype.net
>> >> http://limedaley.com/mailman/listinfo/plog-svn
>> >>
>> > _______________________________________________
>> > pLog-svn mailing list
>> > pLog-svn at devel.lifetype.net
>> > http://limedaley.com/mailman/listinfo/plog-svn
>> >
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> Some day my boat will come in, and
>> with my luck I'll be at the airport.
>> -- Graffiti
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>
--
Jon Daley
http://jon.limedaley.com/
In Carmel, NY, A man can't go outside while
wearing a jacket and pants that do not match.
More information about the pLog-svn
mailing list