At 10:00 on Tue, 20 Jan 2004, Oliver Hitz wrote:
On 19 Jan 2004, Csan wrote:
The URL is part of a postnuke site and they could start up the telnetd binary with invoking an URL similar to the above URL! Is this a known sechole?
I think you should be able to avoid such exploits by using PHP's safe mode. It allow you, among other things, to specify that only files in a particular directory may be executed. This way, even if someone succeeds uploading an exploit onto your server, he won't be able to run it.
Safe mode would certainly have reduced the impact from that script, and I'd definitely recommend turning it on unless you're very confident of the quality of all your scripts.
However, some of the things in the exploit script were designed to let an attacker look at safe mode systems and possibly find another vulnerability. Certainly they'd have been able to get at any database/etc passwords used by the exploited website, possibly, depending on file system permissions, at most files belonging to the same user, even with safe mode on. This might then have let them find another way of attacking.
Encoding php files is a solution for this. I am using turck-mmcache encoder. You can find it at http://turck-mmcache.sourceforge.net/ .
Gvre
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
