lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003701c77d3b$dfb5bb00$9f213100$@com>
Date: Thu, 12 Apr 2007 12:50:50 -0700
From: "Ryan Neufeld" <it@...powersystems.com>
To: "'Gadi Evron'" <ge@...uxbox.org>, <rurban@...ay.at>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Critical phpwiki c99shell exploit

On that note you might as well deny php5 too

--Ryan Neufeld

IT Systems Manager

it@...powersystems.com

MagPower Systems Inc.

Ph: (640)940-3232

Fax: (640)940-3233


-----Original Message-----
From: Gadi Evron [mailto:ge@...uxbox.org] 
Sent: Thursday, April 12, 2007 9:50 AM
To: rurban@...ay.at
Cc: bugtraq@...urityfocus.com
Subject: Re: Critical phpwiki c99shell exploit

On 12 Apr 2007 rurban@...ay.at wrote:
> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a
php3 or php4 file,
> install a backdoor at port 8081 and have access to your whole disc and
overtake the server.
> 
> A url in the file is http://ccteam.ru/releases/c99shell
> 
> The uploaded file has a php, php3 or php4 extension and looks like a gif
to the mime magic.
> So apache usually accepts it.
> 
> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out
of this directory.
> 
> You can fix it by adding those two lines to your list of disallowed
extensions:
>   php3
>   php4
> Currently only "php" is disallowed.
> 

This is a good best practice, but it doesn't hold water long
range. Further, where do you disallow these extensions? In the
application?

Mostly what the bad guys would do is upload, say.. .jpg, and then rename
it.

	Gadi.

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007
11:52 AM
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007
11:52 AM
 
  

Download attachment "Ryan Neufeld (it@...powersystems.com).vcf" of type "application/octet-stream" (507 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ