OT, but related -- WAS: [Mailwatch-users] Active Probes heads up

Jason Voorhees jvoorhees1 at gmail.com
Fri Feb 27 18:13:23 GMT 2009


Hi:

On Fri, Feb 27, 2009 at 12:31 PM, dnsadmin 1bigthink.com
<dnsadmin at 1bigthink.com> wrote:
> Hello All,
>
> Related, but not MailScanner -- from the MailWatch list group:
>
> Hi,
>
> I have noticed lots of web probes for...
>
> /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
> /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
> /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
> /docs.php?doc=../../../../../../../etc/passwd%00
>
> ...across a few dozen of our servers last night.  They were tied in with the
> usual web
> application attacks so I get the feeling these signatures have been added to
> some script
> kiddie point and click hacking tool.
>
> If you haven't already removed / patched doc.php, now would be the time!
>
>
> For those of you unaware of this vulnerability it basically allows you to
> read any file on the
> server:
>

Thanks for sharing your post here. According to the link the exploit
only works when magic_gpc_quotes is Off in php.ini.

Fortunately, I always have that setting in ON, and use "Allow from"
certain IP address only from Apache configuration when not being
paranoic
almost all time I block mailwatch access from Apache to anyone who
isn't connected trough VPN.

Does anybody here have the patch code?
> http://secunia.com/Advisories/31994/
>
> Regards
>
> Ian
> --
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


More information about the MailScanner mailing list