Re: [Full-Disclosure] GOnicus System Administrator php injection

From: Melvyn Sopacua (msopacua@idg.nl)
Date: 02/24/03

  • Next message: Peter Bieringer: "[Full-Disclosure] MX of securityfocus.com lost?" 
    From: Melvyn Sopacua <msopacua@idg.nl>
To: Karol Wiêsek <appelast@bsquad.sm.pl>
Date: Mon, 24 Feb 2003 00:59:32 +0100 (CET)

    On Sun, 23 Feb 2003, Karol [iso-8859-2] Wiêsek wrote:

    [snip backgroud, exploit analysis and version info]

    Ki82Ws>>> Temporary solution is to enable apache .htaccess authentication
    Ki82Ws>>> in all subdirectories containing .php files, which are included, not
    Ki82Ws>>> accessed directly.
    Ki82Ws>>>
    Ki82Ws>>> Example .htaccess file
    Ki82Ws>>>
    Ki82Ws>>> AuthType Basic
    Ki82Ws>>> AuthName koza
    Ki82Ws>>> UserAuthFile /dev/null

    That would be: AuthUserFile /dev/null
    <http://httpd.apache.org/docs/mod/mod_auth.html#authuserfile>

    Ki82Ws>>> require valid-user

    Or perhaps:
    allow_url_fopen = Off in php.ini and restart apache. 

    -- 
With kind regards,
Melvyn Sopacua
<?php include("not_reflecting_employers_views.txt"); ?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html