Critical phpwiki c99shell exploit Apr 12 2007 01:14PM
rurban x-ray at (2 replies)
Re: Critical phpwiki c99shell exploit Apr 12 2007 04:59PM
Jamie Riden (jamie riden gmail com)
Re: Critical phpwiki c99shell exploit Apr 12 2007 04:50PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: Critical phpwiki c99shell exploit Apr 16 2007 10:29AM
Taneli Leppä (taneli crasman fi)
RE: Critical phpwiki c99shell exploit Apr 12 2007 07:50PM
Ryan Neufeld (it magpowersystems com)
On that note you might as well deny php5 too

--Ryan Neufeld

IT Systems Manager

it (at) magpowersystems (dot) com [email concealed]

MagPower Systems Inc.

Ph: (640)940-3232

Fax: (640)940-3233

-----Original Message-----
From: Gadi Evron [mailto:ge (at) linuxbox (dot) org [email concealed]]
Sent: Thursday, April 12, 2007 9:50 AM
To: rurban (at) x-ray (dot) at [email concealed]
Cc: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: Critical phpwiki c99shell exploit

On 12 Apr 2007 rurban (at) x-ray (dot) at [email concealed] wrote:
> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a
php3 or php4 file,
> install a backdoor at port 8081 and have access to your whole disc and
overtake the server.
>
> A url in the file is http://ccteam.ru/releases/c99shell
>
> The uploaded file has a php, php3 or php4 extension and looks like a gif
to the mime magic.
> So apache usually accepts it.
>
> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out
of this directory.
>
> You can fix it by adding those two lines to your list of disallowed
extensions:
> php3
> php4
> Currently only "php" is disallowed.
>

This is a good best practice, but it doesn't hold water long
range. Further, where do you disallow these extensions? In the
application?

Mostly what the bad guys would do is upload, say.. .jpg, and then rename
it.

Gadi.

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007
11:52 AM

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007
11:52 AM


BEGIN:VCARD
VERSION:2.1
N:Neufeld;Ryan
FN:Ryan Neufeld (it (at) magpowersystems (dot) com [email concealed])
ORG:MagPower Systems Inc.
TITLE:IT Systems Manager
TEL;WORK;VOICE:+1 (604) 940-3232
TEL;HOME;VOICE:+1 (604) 940-3233
TEL;CELL;VOICE:+1 (604) 832-8069
TEL;VOICE:http://www.magpowersystems.com
ADR;WORK:;;Suite 330, 6165 Highway 17;Delta;BC;V4K 5B8;Canada
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Suite 330, 6165 Highway 17=0D=0ADelta, BC V4K 5B8=0D=0ACanada
EMAIL;PREF;INTERNET:it (at) magpowersystems (dot) com [email concealed]
REV:20070327T170236Z
END:VCARD

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus