[pLog-svn] Critical: security issue
Jon Daley
plogworld at jon.limedaley.com
Sat Mar 29 12:46:51 EDT 2008
We currently support PHP 4.2. I'd like to change that to 4.3 in
order to use the native fnmatch function, rather than having a
half-supported $flags parameter (specifically FNM_CASEFOLD).
I'll check in that version of the function, but if we can raise
the minimum to 4.3, we can remove the myfnmatch function altogether, which
will be better.
On Sat, 29 Mar 2008, Jon Daley wrote:
> Ah, fnmatch and glob:myfnmatch are case-sensitive. It probably isn't
> reasonable that the forbidden_upload validator denys .php and not .PHP.
> The quick fix is to add *.PHP, etc. to your upload denied places. If
> you have untrusted users on your system, you probably should check your logs
> for .PHP, etc.
> The php script was uploaded to the gallery, and then run, and used
> itself to move itself to a different directory.
>
> On Sat, 29 Mar 2008, Jon Daley wrote:
>
>> Update: the php script was uploaded via the resources. I am not yet
>> sure how it moved to the .svn directory. The hacker was targetting a
>> lifetype installation, and knew exactly what steps to take.
>> His goal was apparently to take down other sites: he installed a
>> vbulletin exploit, and was working on crashing it.
>> He actually modified index.php and summary.php a month ago, but my
>> customer never noticed.
>>
>>
>> On Sat, 29 Mar 2008, Jon Daley wrote:
>>> You should disable locale uploading on your sites if you don't trust
>>> your users. I just saw this on one of my customers' sites. He is running
>>> the latest version. This PHP script was uploaded and then externally run.
>>>
>>> /home/chemblogs/www/locale/admin/.svn/props/secure.PHP
>>>
>>> We probably need an .htaccess rule to disable all PHP outside of the
>>> root. And maybe we should take more seriously the thought about making it
>>> easier to have files outside of the web space. Some of it is a pain - ie.
>>> moving the tmp or plugins directory causes some things to fail.
>>>
>>> I'll look into this more and see how it goes.
>>>
>>>
>>> --
>>> Jon Daley
>>> http://jon.limedaley.com/
>>>
>>> Sometimes being smart is a handicap.
>>> Smart people are often too smart to take advice from others.
>>> -- Al Ries
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> Time is nature's way of keeping everything from happening at once.
>> -- Woody Allen
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>>
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> We know about as much about software quality problems as they
> knew about the Black Plague in the 1600s. We've seen the
> victims' agonies and helped burn the corpses. We don't know
> what causes it; we don't really know if there is only one
> disease. We just suffer - and keep pouring our sewage
> into our water supply.
> -- Tom Van Vleck
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
It's better to be hated for telling the truth than
loved for telling a lie.
-- Joyce Rogers
More information about the pLog-svn
mailing list