Re: Critical phpwiki c99shell exploit
- From: Gadi Evron <ge@xxxxxxxxxxxx>
- Date: Thu, 12 Apr 2007 11:50:19 -0500 (CDT)
On 12 Apr 2007 rurban@xxxxxxxx wrote:
Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a php3 or php4 file,
install a backdoor at port 8081 and have access to your whole disc and overtake the server.
A url in the file is http://ccteam.ru/releases/c99shell
The uploaded file has a php, php3 or php4 extension and looks like a gif to the mime magic.
So apache usually accepts it.
To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out of this directory.
You can fix it by adding those two lines to your list of disallowed extensions:
php3
php4
Currently only "php" is disallowed.
This is a good best practice, but it doesn't hold water long
range. Further, where do you disallow these extensions? In the
application?
Mostly what the bad guys would do is upload, say.. .jpg, and then rename
it.
Gadi.
- Follow-Ups:
- Re: Critical phpwiki c99shell exploit
- From: Taneli Leppä
- RE: Critical phpwiki c99shell exploit
- From: Ryan Neufeld
- Re: Critical phpwiki c99shell exploit
- References:
- Critical phpwiki c99shell exploit
- From: rurban
- Critical phpwiki c99shell exploit
- Prev by Date: [security bulletin] HPSBGN02199 SSRT071312 rev.1 - Mercury Quality Center ActiveX, Remote Unauthorized Arbitrary Code Execution
- Next by Date: Re: Critical phpwiki c99shell exploit
- Previous by thread: Critical phpwiki c99shell exploit
- Next by thread: RE: Critical phpwiki c99shell exploit
- Index(es):
Relevant Pages
|
