ServerGenius

Hi,

If you use scripts on your server that use httpd log file piping CONTACT me
inmediately so I can explain you how to prevent DISSASTERS

hhhhhhmmm OK Genius but how do I know if I do?
Check your apache virtual host configs and look if there's anything that looks
like this:

CustomLog "|/usr/bin/php

or

CustomLog "|/usr/bin/perl

If you have this I suggest you contact me asap......this is MAJOR!

This is no joke and neither some kind of creative SPAM

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

Damian_Maxcash

I dont know if I do or not?

What would be the common scripts?

ServerGenius

you can find it in your httpd.conf file and/or apache config files that you use which contain the virtualhost configs

for example
/path/to/apache/config/vhost.conf or vhost.include

on debian this would be /etc/apache2/sites-availabe/filename

or servers that use control panels kinda of software it's usually in

/usr/home/username/conf or /usr/home/username/public_html/config

Example of scripts that use logfile piping are pennywize and/or other scripts
that are supposed to prevent login/password theft/sharing/abuse

But also other monitoring scripts that read data from the webserver logs
by method of logfile piping are vulnerable.....

This concerns both php and perl cgi scripts and there's no patch to prevent
this as of now.....

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

GrouchyAdmin

Piping into any preprocessor that allows redirection is pretty bad. Piping directly into a language based preprocessor is much worse.

__________________

ServerGenius

I'm about to head out and get some sleep it's 1:30am on this side of the planet.
please keep this thread on page 1 and anyone who contacts me, leave a message on ICQ and I'll get back to you asap....which will be in 10 hours or so
from now......if you leave your contact info and a message I'll get back to every
single one of you.......

thanks and make sure to check if you could be affected by this problem.
I won't publish proof of concept code for this exploit untill there's a good
solution for everybody affected to be used.....and enough time todo so ;-)

When there's a patch/solution I'll reveal proof of concept code to anyone
who's interested......;-)

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

GrouchyAdmin

Patch & Solution: Don't be dumb.

If you have any scripts which actually pipe directly to PHP/Perl, a much better solution would be to utilize apache's native rotatelogs and a daemon which reloads when truncated (rolled over), which feeds into the script, external of the Apache process, which runs as a secured/unpriviledged uid.

If you needed simpler than a daemon, this could even down to as simple as 'tail -f'..

__________________

Enemator

__________________
I live in your nightmares. I make you dream you're getting bumfucked by a razor blade only to wake up and find I gave your wife an enema and tube-fed you her shit.

ServerGenius

bumperdirooh

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |