Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:16 PM EDT
   

affix ownz u

Sunday, June 08 2003 @ 02:10 PM EDT
Contributed by: amckay
Views: 3,269
SecurityHey folks. A number of my sites got hit on Friday with 'affix ownz u' - someone was able to replace my index.php with this text. It seems this is a vulnerability in PHP, so I upgraded.

Anyway, the new PHP seems secure, but breaks geeklog. My plugins broke but I was able to fix them mostly with some quick coding. But now parts of base GL are broken. Basically anything that reads vars from the query string directly without the following GL functions :

COM_setArgNames(array('VarName1','VarName2'));
$VarName1 = COM_getArgument('VarName1');
$VarName2 = COM_getArgument('VarName2');

I found that staticpages works fine since it uses this, but the story editor does not, nor does 'article.php'. I can easily fix these myself but before I do, I wanted to know if fixes are planned. Also, what other parts of GL are affected?

thanks,
-Alan
 

What's Related

Story Options

affix ownz u | 5 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
affix ownz u
Authored by: Dirk on Sunday, June 08 2003 @ 02:45 PM EDT
You have register_globals=off (that's the default in PHP since 4.2.0).

bye, Dirk
affix ownz u
Authored by: amckay on Sunday, June 08 2003 @ 02:50 PM EDT
My php.ini has this in it as always. But I will check to ensure that the new php I installed is reading it from the same place. I always keep it in /etc/php.ini, and just now created a link to /usr/local/etc/php.ini and restarted apache, and that did not fix the problem.

max_execution_time=300
register_globals=on
upload_tmp_dir=/tmp
session.save_path=/tmp

I'll keep you posted ...
affix ownz u
Authored by: amckay on Sunday, June 08 2003 @ 03:25 PM EDT
Well, I found out that it goes in /usr/local/lib/php.ini, but that still did not work. So I took the php.ini-recommended from the distribution and turned register_globals on, and also set upload_tmp_dir=/tmp as per my usual file. Not sure what else in that default file is required to make this work, but it does seem as though it is more than just register_globals.

Of course, will turning register_globals on mean that my site is vulnerable to this cracker again? Any idea?
affix ownz u
Authored by: Dirk on Sunday, June 08 2003 @ 03:45 PM EDT
Make sure you're editing the correct copy of php.ini - if in doubt, upload a file with only <?php phpinfo() ?> in it and check where it expects to find the php.ini. Also, don't forget to restart your webserver when you're making any changes.

You didn't mention any version numbers (neither the old nor the new version of PHP you're running), but I can assure you that Geeklog is running just fine with the current PHP 4.3.2 release (when you set register_globals=on, of course).

The register_globals settings has nothing to do with vulnerabilities. There was a upload vulnerability in some really old versions of PHP (before 4.1.2, IIRC). Apart from the issues that have been fixed with Geeklog 1.3.7sr2, there are also reports of vulnerabilities in some versions of Gallery (if you're using that), so make sure you really update all the components of your site ...

bye, Dirk
affix ownz u
Authored by: Anonymous on Sunday, June 08 2003 @ 04:11 PM EDT
Thanks Dirk. I always keep http://www.alanmckay.com/phpinfo.php so I can check my version any time I like, but I totally forgot that it tells me where it expects to find php.ini! I saved a copy of the output before my upgrade, and I see it was 4.3.0 and GL worked just fine with the short php.ini file I posted. Now I'm running 4.3.2 with noted problems.

But all is fine now as mentioned, once I used the php.ini-recommend and turned globals on. As for Gallery, I do run it on a few sites, but some of the ones that got hit were not running it. I recently tried the Geekary and like it better anyway, so now I have to begin a very painful migration ;-)
© 2002-2008 Geeklog
Created this page in 1.21 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com