On 12 Apr 2007 13:14:14 -0000, rurban@xxxxxxxx <rurban@xxxxxxxx> wrote:> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a php3 or php4 file,> install a backdoor at port 8081 and have access to your whole disc and overtake the server.>> A url in the file is http://ccteam.ru/releases/c99shell>> The uploaded file has a php, php3 or php4 extension and looks like a gif to the mime magic.> So apache usually accepts it.>> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out of this directory.>> You can fix it by adding those two lines to your list of disallowed extensions:> php3> php4> Currently only "php" is disallowed. Some people also map .php5 - google for "AddTypeapplication/x-httpd-php5 .php5" and "AddType application/x-httpd-php.php5" - and goodness knows what else. This would be much better re-written to use known safe extensions, orthe admin needs to carefully compare the disallowed list againsthis/her httpd config. (If there's anyone who doesn't know c99shell, it's sort of a helperapp for doing things on servers - the kind of things you probablydon't want done - and is often used in conjunction with remote fileinclude attacks to execute shell commands. There's a screenshot inAppendix B at http://www.honeynet.org/papers/webapp/ . "Defacing Tool2.0 by r3v3ng4ns" and r57shell are similar utilities you may have comeacross.) cheers, Jamie PS. I can't see where it checks if the file is a GIF, but it's nothard to fool some programs, and I don't like the idea of guessing filetypes based on contents. It's not safe. == foo.php ==GIF89a!^@"^@<?php echo "foo";?>=========== $ file foo.phpfoo.php: GIF image data, version 89a, 33 x 34 The output of visiting http://localhost/foo.php under apache is'GIF89a!�"� foo'.-- Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxxxx Honeynet Project: http://www.ukhoneynet.org/
