On 08/29/2010 11:42 AM, Nataraj wrote:
> I think running apache in a chroot environment might be one of the most
> effective protections. I used to do that in the past, but I found it
> too much work to maintain. Now there are things like mod_chroot and
> perhaps other tools, but I have no experi
On Sun, 29 Aug 2010, Nataraj wrote:
> I think running apache in a chroot environment might be one of the most
> effective protections. I used to do that in the past, but I found it
> too much work to maintain. Now there are things like mod_chroot and
> perhaps other tools, but I have no experien
Gordon Messmer wrote:
> On 08/29/2010 05:51 AM, Stephen Harris wrote:
>
>> There's nothing special about /proc/$$/environ. All the variables in there
>> are already available to the process. eg
>>
>
> Yes, and the shell could even be made to do as you wanted if you could
> convince a scr
On 08/29/2010 05:51 AM, Stephen Harris wrote:
> There's nothing special about /proc/$$/environ. All the variables in there
> are already available to the process. eg
Yes, and the shell could even be made to do as you wanted if you could
convince a script to "source /proc/$$/environ". You don't
On Sun, Aug 29, 2010 at 12:45:53AM -0700, Gordon Messmer wrote:
> On 08/28/2010 05:30 AM, Stephen Harris wrote:
> > In general it's not just PHP; it could be perl, script.. anything
> > eg this extremely bad and broken CGI program:
>
> That's true, but /proc/environ isn't in a format that's valid
On 08/28/2010 05:30 AM, Stephen Harris wrote:
> In general it's not just PHP; it could be perl, script.. anything
> eg this extremely bad and broken CGI program:
That's true, but /proc/environ isn't in a format that's valid for most
languages. If a PHP script can be made to include /proc/environ
On Sat, 28 Aug 2010, Bob McConnell wrote:
> To: CentOS mailing list
> From: Bob McConnell
> Subject: Re: [CentOS] Strange Apache log entry
>
> The best way to attack this problem is to take a close look at the known
> issues and make sure your code doesn't expos
Emmanuel Noobadmin wrote:
> On 8/24/10, Keith Roberts wrote:
>> So bolting down PHP really tight should address these hacks?
>
> As others have mentioned, this is trying to take advantage of a poorly
> written PHP script that doesn't sanitize/check the input before using.
> However, you could pos
On Sat, Aug 28, 2010 at 12:08:49PM +0800, Emmanuel Noobadmin wrote:
> On 8/24/10, Keith Roberts wrote:
> > So bolting down PHP really tight should address these hacks?
>
> As others have mentioned, this is trying to take advantage of a poorly
> written PHP script that doesn't sanitize/check the i
On 08/27/2010 09:08 PM, Emmanuel Noobadmin wrote:
> However, you could possibly lock down PHP further to reduce the
> possibility of such apps working by using the disabled_function
> setting to disable the riskier functions which allow
> shell/command/file operations. Of course depending on how ag
Just to add on, if your server is hosting multiple domains for clients
so you can't just do a blanket function disable, you should look into
suhosin to do per domain function blacklist.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mai
On 8/24/10, Keith Roberts wrote:
> So bolting down PHP really tight should address these hacks?
As others have mentioned, this is trying to take advantage of a poorly
written PHP script that doesn't sanitize/check the input before using.
However, you could possibly lock down PHP further to reduce
On 08/26/2010 03:29 AM, Keith Roberts wrote:
> register_globals is supposed to be off by default - so that
> should stop any global variables being injected.
Doesn't matter. The vulnerability discussed is one where a PHP
application actually takes the name of a file as input from the client.
On Wed, 25 Aug 2010, Gordon Messmer wrote:
> To: CentOS mailing list
> From: Gordon Messmer
> Subject: Re: [CentOS] Strange Apache log entry
>
> On 08/24/2010 04:25 AM, Keith Roberts wrote:
>>
>> So bolting down PHP really tight should address these hacks?
>
>
On 08/24/2010 04:25 AM, Keith Roberts wrote:
>
> So bolting down PHP really tight should address these hacks?
No. This vulnerability would be in a PHP application. I don't believe
you could configure PHP in such a way that this would no longer be a
problem.
On Sun, 22 Aug 2010, Gordon Messmer wrote:
> To: CentOS mailing list
> From: Gordon Messmer
> Subject: Re: [CentOS] Strange Apache log entry
>
> On 08/22/2010 03:05 PM, Gilbert Sebenste wrote:
>> Thanks. They got a 404 error with me, obviously...but I wanted to make
>&g
On Sun, 22 Aug 2010, Gordon Messmer wrote:
> No, they didn't. That's why you were warned that it was a potentially
> successful probe.
>
> The exploit requires that you are running php and have a script that
> includes a file referenced by the global variable "g" (or maybe the http
> request vari
On 08/22/2010 03:05 PM, Gilbert Sebenste wrote:
> Thanks. They got a 404 error with me, obviously...but I wanted to make
> sure it was nothing more than that.
No, they didn't. That's why you were warned that it was a potentially
successful probe.
The exploit requires that you are running php an
On 22 August 2010 23:05, Gilbert Sebenste
wrote:
> Thanks. They got a 404 error with me, obviously...but I wanted to make
> sure it was nothing more than that.
Are you sure? your earlier posting had 200, not 404.
--
Hakan (m1fcj) - http://www.hititgunesi.org
__
On Sun, 22 Aug 2010, Keith Roberts wrote:
> On my Fedora 12 server, searching for 'proc/self/environ' I
> found the following in my apache log files:
>
> www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10
> +0100] "GET /file.php?file
> []=../../../../../../../../../../../../../../../proc/
On Sun, 22 Aug 2010, Gilbert Sebenste wrote:
> To: centos@centos.org
> From: Gilbert Sebenste
> Subject: [CentOS] Strange Apache log entry
>
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. H
2010/8/22 Gilbert Sebenste :
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
> - httpd Begin
>
> A total of 1 sites probed the server
> 66.249.137.70
>
Hey everyone,
Logwatch flagged something in my Apache logs, and it says it was a
possible successful probe. Hmmm. Here's what it says:
- httpd Begin
A total of 1 sites probed the server
66.249.137.70
A total of 2 possible successful probe
23 matches
Mail list logo
