|
SERIOUS SECURITY HOLE: Anyone who has scripts that use access.log piping MUST READ
Hi,
If you use scripts on your server that use httpd log file piping CONTACT me inmediately so I can explain you how to prevent DISSASTERS hhhhhhmmm OK Genius but how do I know if I do? Check your apache virtual host configs and look if there's anything that looks like this: CustomLog "|/usr/bin/php or CustomLog "|/usr/bin/perl If you have this I suggest you contact me asap......this is MAJOR! This is no joke and neither some kind of creative SPAM |
I dont know if I do or not?
What would be the common scripts? |
you can find it in your httpd.conf file and/or apache config files that you use which contain the virtualhost configs
for example /path/to/apache/config/vhost.conf or vhost.include on debian this would be /etc/apache2/sites-availabe/filename or servers that use control panels kinda of software it's usually in /usr/home/username/conf or /usr/home/username/public_html/config Example of scripts that use logfile piping are pennywize and/or other scripts that are supposed to prevent login/password theft/sharing/abuse But also other monitoring scripts that read data from the webserver logs by method of logfile piping are vulnerable..... This concerns both php and perl cgi scripts and there's no patch to prevent this as of now..... :thumbsup |
Piping into any preprocessor that allows redirection is pretty bad. Piping directly into a language based preprocessor is much worse.
|
I'm about to head out and get some sleep it's 1:30am on this side of the planet.
please keep this thread on page 1 and anyone who contacts me, leave a message on ICQ and I'll get back to you asap....which will be in 10 hours or so from now......if you leave your contact info and a message I'll get back to every single one of you....... thanks and make sure to check if you could be affected by this problem. I won't publish proof of concept code for this exploit untill there's a good solution for everybody affected to be used.....and enough time todo so ;-) When there's a patch/solution I'll reveal proof of concept code to anyone who's interested......;-) |
Patch & Solution: Don't be dumb.
If you have any scripts which actually pipe directly to PHP/Perl, a much better solution would be to utilize apache's native rotatelogs and a daemon which reloads when truncated (rolled over), which feeds into the script, external of the Apache process, which runs as a secured/unpriviledged uid. If you needed simpler than a daemon, this could even down to as simple as 'tail -f'.. |
|
bumperdirooh
|
| All times are GMT -7. The time now is 01:16 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123