Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10
From: Brett Glass (brett_at_lariat.org)
Date: 12/28/04
- Previous message: Peter C. Lai: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- In reply to: Jerry Bell: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- Next in thread: Julian Elischer: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Dec 2004 19:30:28 -0700 To: "Jerry Bell" <jerry@syslog.org>, estover@nativenerds.com
The "PHPInclude" worm seeks out sites which are running PHP and tries to
break into them by injecting unexpected data into variables. If those
variables are fed without proper input checking to the include(),
require(), or urldecode() functions within the script, or (worse) treated
as UNIX commands, it is possible to retrieve the contents of sensitive
files and/or execute arbitrary commands on the server. The same old
lesson that seasoned programmers learn just before they get kicked
upstairs into management, and the new young ones don't know yet: Never
trust potentially hostile input. And always use "tainting" or a similar
mechanism if it's available. (What? Don't know about "tainting?" You must
be a C programmer.) ;-)
Also see:
http://www.pcworld.com/news/article/0,aid,119051,00.asp
Interestingly, the worm is written in Perl, not PHP. I know for a fact that
Santy.A, the version that attacked phpBB exclusively, was written in Perl,
because I've captured the source in a honeypot. If it's not exactly the same
code as that displayed at
http://www.k-otik.com/exploits/20041222.sanityworm.pl.php
what I caught is darned similar. The more generalized script is at
http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
--Brett
At 06:28 PM 12/27/2004, Jerry Bell wrote:
>The update for phpbb came out a while ago, and it looks like the ports
>were updated on 11/25/2004. Have you tried updating the ports? I think
>this is already addressed.
>
>On a side note, I'm suprised you didn't get hit by the worm (unless it
>happened before the worm came out). There is a new worm out now that
>attacks some weak php programming, though it's not very widespread. See
>http://www.syslog.org/Article10.phtml for a little more detail.
>
>I don't know if it's a worm or not, but I'm seeing people trying to attack
>my site pretty frequently lately.
>
>Best regards & happy holidays,
>
>Jerry
>http://www.syslog.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Peter C. Lai: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- In reply to: Jerry Bell: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- Next in thread: Julian Elischer: "Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
