Impressive analysis of gallery exploit
Dec. 10th, 2003 02:12 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
dennyThis is interesting - the initial entry point seems to be a poorly initialised variable in the gallery/geeklog libs or something, but from there on things get incredibly complex. The end result is the compromised machine (which was only running Apache) being used as a spam-sending box.
http://www.securityfocus.com/guest/24043
http://www.securityfocus.com/guest/24043
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2003-12-10 06:39 am (UTC)(no subject)
Date: 2003-12-10 08:05 am (UTC)The first is generally good practice, and the default for newer PHP installs. The second is also good practice, but easy to account for - it's just that this particular sploit script didn't.
The third is possibly overkill and I have no idea whether the gallery and geeklog packages need some of the functions it disables. They probably shouldn't. But it would definitly have stopped the script running random system commands. Then again they could have implemented the whole daemon in PHP which ought to have worked (and I can think of ways to get round any script execution time limit they might have imposed.)
The fourth I think is a highly dangerous feature anyway. You at least ought to be able to set limits on what destinations are permitted, and what functions use the fopen wrappers.