[pLog-svn] Critical: security issue
Jon Daley
plogworld at jon.limedaley.com
Sat Mar 29 12:25:52 EDT 2008
Update: the php script was uploaded via the resources. I am not
yet sure how it moved to the .svn directory. The hacker was targetting a
lifetype installation, and knew exactly what steps to take.
His goal was apparently to take down other sites: he installed a
vbulletin exploit, and was working on crashing it.
He actually modified index.php and summary.php a month ago, but my
customer never noticed.
On Sat, 29 Mar 2008, Jon Daley wrote:
> You should disable locale uploading on your sites if you don't trust
> your users. I just saw this on one of my customers' sites. He is running
> the latest version. This PHP script was uploaded and then externally run.
>
> /home/chemblogs/www/locale/admin/.svn/props/secure.PHP
>
> We probably need an .htaccess rule to disable all PHP outside of the
> root. And maybe we should take more seriously the thought about making it
> easier to have files outside of the web space. Some of it is a pain - ie.
> moving the tmp or plugins directory causes some things to fail.
>
> I'll look into this more and see how it goes.
>
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Sometimes being smart is a handicap.
> Smart people are often too smart to take advice from others.
> -- Al Ries
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
Time is nature's way of keeping everything from happening at once.
-- Woody Allen
More information about the pLog-svn
mailing list