James - this is an easily fixable issue. Please post on site and on list: Issue - SAM Broadcaster PHP website has a vulnerability which can allow an attacker to tack control of the server hosting the website with the full privileges allowed to the service running the website. This is due to URL's allowed to by passed and processed by the db.php file. To remedy this do one or both of the following to your site if you control it, or contact your hosting vendor to make the changes if you don't:
If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is on by default. Recommendations You should disable allow_url_fopen in the php.ini file: Default is: allow_url_fopen = 'on' Change to: ; Disable allow_url_fopen for security reasons allow_url_fopen = 'off' The setting can also be disabled in apache's httpd.conf file: # Disable allow_url_fopen for security reasons php_flag allow_url_fopen off The webserver will need to be restarted for either of these changes to take effect. For remote file access, consider using the cURL functions that PHP provides. Citation: http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html Roy Pait Network Administrator Marlborough School 250 S. Rossmore Ave Los Angeles, CA 90004 USA >>> "James Henline" <[email protected]> 1/9/2008 9:36 AM >>> Please see the following news article for more information. http://www.spacialaudio.com/news/index.html?newsID=151 It is highly advised to discontinue the use of the PHP website at this time to avoid this vulnerability. If you have access to the PHP.ini file, simply disabling register_globals should prevent this attack. James Henline. Help Desk Manager Development Manager Spacial Audio Solutions LLC. www.audiorealm.com www.spacialnet.com www.spacialaudio.com CONFIDENTIALITY NOTICE: This email, including any attachments, contains information from SpacialAudio Solutions LLC., which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments. _______________________________________________ General-discussion mailing list [email protected] http://mailman.spacialaudio.com/mailman/listinfo/general-discussion TO unsubscribe to this list, simply send a blank email to [email protected] with the subject 'unsubscribe' -------------- next part -------------- BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Pait, Roy TEL;WORK:444 ORG:;Technology TEL;PREF;FAX:323.933.052 EMAIL;WORK;PREF;NGW:[email protected] N:Pait;Roy TITLE:Network Administrator ADR;DOM;WORK;PARCEL;POSTAL:;;2400 Pepperwood Ave;Long Beach;CA;90815 LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Pait, Roy=0A= 2400 Pepperwood Ave=0A= Long Beach, CA 90815 END:VCARD
