Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:21 PM EDT
   

Oops - got owned

Thursday, June 05 2003 @ 10:50 AM EDT
Contributed by: Chalkhillian
Views: 4,158
SecurityJust a note of warning - someone hacked an old site of mine that was inactive - but in a sub directory and sub domain. I had forgotten about the site - and they uploaded an image that wasn't an image - and it gave them shell access which gave them much more than control of the sub domain. Just a warning to all -this is an easy exploit - the code was minimal and any old or test sites you have laying about need to have the ability to upload pics curtailed ASAP.

Stupid stupid me. I was "owned" for about 12 hours and I'm still assessing the damage.
 

What's Related

Story Options

Oops - got owned | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Oops - got owned
Authored by: Anonymous on Thursday, June 05 2003 @ 02:08 PM EDT
yes scripts must actually determine if its a real pic or not. it is quite easy to write a script with
GIF97 in the first line, that is actually a phpshell type of script. Better still define a non webroot ffolder for uploads ( way better ) then run a php-pic grabbing script locally to pull from that folder, insuring that only real images are pulled up and displayed.

morning_wood
http://exploitlabs.com
Oops - got owned
Authored by: Anonymous on Tuesday, August 05 2003 @ 05:14 AM EDT
Can you please let us know the following which version of GL were you using. I had the impression that 1.3.7sr2 update fixed this problem?

Can someone in the know please tell us if 1.3.7sr2 is secure or should we still remove photo option on config.php?

Thank you.
Oops - got owned
Authored by: Dirk on Tuesday, August 05 2003 @ 06:08 AM EDT
1.3.7sr2 is secure - in the sense that it fixes all known problems (including those with the image upload).

There may of course be other issues, introduced by third-party applications (e.g. certain versions of Gallery had security issues).

bye, Dirk
© 2002-2008 Geeklog
Created this page in 0.38 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com