OT, but related -- WAS: [Mailwatch-users] Active Probes heads up
Ken A
ka at pacific.net
Fri Feb 27 18:42:08 GMT 2009
Jason Voorhees wrote:
> Hi:
>
> On Fri, Feb 27, 2009 at 12:31 PM, dnsadmin 1bigthink.com
> <dnsadmin at 1bigthink.com> wrote:
>> Hello All,
>>
>> Related, but not MailScanner -- from the MailWatch list group:
>>
>> Hi,
>>
>> I have noticed lots of web probes for...
>>
>> /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
>> /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
>> /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
>> /docs.php?doc=../../../../../../../etc/passwd%00
>>
fwiw, it's not a great idea to name web application files doc(s).php? or
other common names.. calendar, page, file, etc..
google will index them, making them magnetic to poorly written, index
searching, hacker tools. :-(
>> ...across a few dozen of our servers last night. They were tied in with the
>> usual web
>> application attacks so I get the feeling these signatures have been added to
>> some script
>> kiddie point and click hacking tool.
>>
>> If you haven't already removed / patched doc.php, now would be the time!
>>
>>
>> For those of you unaware of this vulnerability it basically allows you to
>> read any file on the
>> server:
>>
>
> Thanks for sharing your post here. According to the link the exploit
> only works when magic_gpc_quotes is Off in php.ini.
>
I think that setting is being removed from php v6 because it doesn't
work as expected - problems with sql injection, iirc..
Ken
> Fortunately, I always have that setting in ON, and use "Allow from"
> certain IP address only from Apache configuration when not being
> paranoic
> almost all time I block mailwatch access from Apache to anyone who
> isn't connected trough VPN.
>
> Does anybody here have the patch code?
>> http://secunia.com/Advisories/31994/
>>
>> Regards
>>
>> Ian
>> --
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
--
Ken Anderson
Pacific Internet - http://www.pacific.net
More information about the MailScanner
mailing list