OT, but related -- WAS: [Mailwatch-users] Active Probes heads up

Rick Cooper rcooper at dwford.com
Fri Feb 27 20:17:42 GMT 2009


 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of dnsadmin 1bigthink.com
 > Sent: Friday, February 27, 2009 12:32 PM
 > To: MailScanner mailing list
 > Subject: OT, but related -- WAS: [Mailwatch-users] Active 
 > Probes heads up
 > 
 > Hello All,
 > 
 > Related, but not MailScanner -- from the MailWatch list group:
 > 
 > Hi,
 > 
 > I have noticed lots of web probes for...
 > 
 > /mailwatch/mailscanner/docs.php?doc=../../../../../../../etc/
 > passwd%00
 > /mailscanner/docs.php?doc=../../../../../../../etc/passwd%00
 > /mailwatch-1.0.4/mailscanner/docs.php?doc=../../../../../../.
 > ./etc/passwd%00
 > /docs.php?doc=../../../../../../../etc/passwd%00
 > 
 > ...across a few dozen of our servers last night.  They were tied in 
 > with the usual web
 > application attacks so I get the feeling these signatures have been 
 > added to some script
 > kiddie point and click hacking tool.
 > 
 > If you haven't already removed / patched doc.php, now would 
 > be the time!
 > 
 > 
 > For those of you unaware of this vulnerability it basically allows 
 > you to read any file on the
 > server:

It's a moot point here as you have to be a valid user with name and password
to access mailwatch and swatch is setup to watch all the apache logs for
various strings such as etc/password and I would get an email within seconds
of an internal user attempting access to, among others, that file, or for
that matter ../../ 

But for safety's sake if you change the top part of docs.php to

 $ThisDoc = '';
if (isset($_GET[doc])) {
	$ThisDoc = preg_replace('/^(\.\.\/|\0){1,}/','',$_GET[doc]).".html";
	if( !is_file($ThisDoc) ){
		header("HTTP/1.0 404 Not Found",FALSE);
		exit;
	}
}
require("./functions.php");
html_start("Documentation");

if ( $ThisDoc != "" ) {
 include("docs/$ThisDoc");

[...]

That will remove any attempt to use a reletive path to get outside the site
dir, and remove any NULLs to attempt to get around the .html. It then checks
to see if the file is valid and sends a 404 if it's not. And you will still
see the ../../ junk in the apache logs just incase you look for those things

Just my two cents

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the MailScanner mailing list