Bugtraq mailing list archives
RE: Critical phpwiki c99shell exploit
From: "Ryan Neufeld" <it () magpowersystems com>
Date: Thu, 12 Apr 2007 12:50:50 -0700
On that note you might as well deny php5 too --Ryan Neufeld IT Systems Manager it () magpowersystems com MagPower Systems Inc. Ph: (640)940-3232 Fax: (640)940-3233 -----Original Message----- From: Gadi Evron [mailto:ge () linuxbox org] Sent: Thursday, April 12, 2007 9:50 AM To: rurban () x-ray at Cc: bugtraq () securityfocus com Subject: Re: Critical phpwiki c99shell exploit On 12 Apr 2007 rurban () x-ray at wrote:
Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a
php3 or php4 file,
install a backdoor at port 8081 and have access to your whole disc and
overtake the server.
A url in the file is http://ccteam.ru/releases/c99shell The uploaded file has a php, php3 or php4 extension and looks like a gif
to the mime magic.
So apache usually accepts it. To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out
of this directory.
You can fix it by adding those two lines to your list of disallowed
extensions:
php3 php4 Currently only "php" is disallowed.
This is a good best practice, but it doesn't hold water long range. Further, where do you disallow these extensions? In the application? Mostly what the bad guys would do is upload, say.. .jpg, and then rename it. Gadi. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007 11:52 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.3.0/758 - Release Date: 4/12/2007 11:52 AM
Attachment:
Ryan Neufeld (it@magpowersystems.com).vcf
Description:
Current thread:
- Critical phpwiki c99shell exploit rurban (Apr 12)
- Re: Critical phpwiki c99shell exploit Gadi Evron (Apr 12)
- RE: Critical phpwiki c99shell exploit Ryan Neufeld (Apr 12)
- Re: Critical phpwiki c99shell exploit Taneli Leppä (Apr 16)
- Re: Critical phpwiki c99shell exploit Jamie Riden (Apr 12)
- Re: Critical phpwiki c99shell exploit Gadi Evron (Apr 12)