[pLog-svn] Critical: security issue
Jon Daley
plogworld at jon.limedaley.com
Sat Mar 29 12:33:02 EDT 2008
Ah, fnmatch and glob:myfnmatch are case-sensitive. It probably
isn't reasonable that the forbidden_upload validator denys .php and not
.PHP.
The quick fix is to add *.PHP, etc. to your upload denied places.
If you have untrusted users on your system, you probably should check your
logs for .PHP, etc.
The php script was uploaded to the gallery, and then run, and used
itself to move itself to a different directory.
On Sat, 29 Mar 2008, Jon Daley wrote:
> Update: the php script was uploaded via the resources. I am not yet
> sure how it moved to the .svn directory. The hacker was targetting a
> lifetype installation, and knew exactly what steps to take.
> His goal was apparently to take down other sites: he installed a
> vbulletin exploit, and was working on crashing it.
> He actually modified index.php and summary.php a month ago, but my
> customer never noticed.
>
>
> On Sat, 29 Mar 2008, Jon Daley wrote:
>> You should disable locale uploading on your sites if you don't trust
>> your users. I just saw this on one of my customers' sites. He is running
>> the latest version. This PHP script was uploaded and then externally run.
>>
>> /home/chemblogs/www/locale/admin/.svn/props/secure.PHP
>>
>> We probably need an .htaccess rule to disable all PHP outside of the
>> root. And maybe we should take more seriously the thought about making it
>> easier to have files outside of the web space. Some of it is a pain - ie.
>> moving the tmp or plugins directory causes some things to fail.
>>
>> I'll look into this more and see how it goes.
>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> Sometimes being smart is a handicap.
>> Smart people are often too smart to take advice from others.
>> -- Al Ries
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Time is nature's way of keeping everything from happening at once.
> -- Woody Allen
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
We know about as much about software quality problems as they
knew about the Black Plague in the 1600s. We've seen the
victims' agonies and helped burn the corpses. We don't know
what causes it; we don't really know if there is only one
disease. We just suffer - and keep pouring our sewage
into our water supply.
-- Tom Van Vleck
More information about the pLog-svn
mailing list