Michael thanks for the hint.
First thing I find a bit weird is that somebody files a security problem on a public site (secwatch.org) without notifying the software developer (i.e. me). Second, the obvious suggestion for avoiding this security leak is to disable typical security holes of PHP in general: In my understanding this exploit can just work if in php.ini there is the setting register_globals = On and additionally allow_url_fopen = On Both settings are known since eternities as a high risk for code insertion. I cannot imagine that the exploit could work if one of these settings is disabled (set to 'Off'). Normally one should disable both. So the obvious suggestion is to disable both in your php.ini. Software should be programmed that it does not need neither of these settings set to 'On', at least not register_globals. This security hole is existing in practically all .phtml files since they use variables for inclusion paths. I can add checks to see if the variable has been tried to point to a URL, but I would strongly encourage everybody to deactivate both settings anyway. Armin On Jan 9, 2008 9:45 AM, Pfeiffer Michael <[EMAIL PROTECTED]> wrote: > Hi everybody, > > there seems to be a security gap in pmapper. For further information > read this please: http://secwatch.org/advisories/1019622/ > Has anybody of you heard about this problem or maybe had this problem > himself? > Our server was corrupted by the IRC-Bot to sent Pishing-Mails on this > way. > > Are there any suggestions how to close this security gap and to avoid > the resulting problems? > > Thanks in advance > > Freundliche Grüsse > > Michael Pfeiffer > > Kanton Solothurn > Bau- und Justizdepartement > Amt für Geoinformation > Rötistrasse 4 > 4501 Solothurn > T: ++41 (0)32 627 6087 > Fax: ++41 (0)32 627 2214 > mailto:[EMAIL PROTECTED] > http://www.agi.so.ch > > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > pmapper-users mailing list > pmapper-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/pmapper-users > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ pmapper-users mailing list pmapper-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/pmapper-users
