[Security Patch] Sorry, I don't have time to mess around right now...

**Vin DSL** · 05-27-2006, 09:16 PM

... I need to get back to work (call back)...

However, doing a little playing around, the last hour or so, I noticed a serious security problem on 'my' server -- Platinum. This is especially critical if you allow ANY uploading to your web site!

I don't have time to get into it now, and I'm NOT inclined to get into it anyway, considering the brow-beating I got the last time I mentioned a vuln here -- but if you're smart, you should add this to your '.htaccess' file ASAP:

Code:

# Make sure Apache is reporting these MIME types correctly.
AddType application/x-compress          .Z
AddType application/x-gzip              .gz .tgz
AddType application/x-rar-compressed    .rar
AddType application/x-tar               .tgz

Read between the lines, for now...

Latez!

**Vin DSL** · 05-28-2006, 07:17 PM

Heh! Sorry about that! I've been busy upgrading my SquirrelMail install today, and forgot about this...

Okay, to see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...

Create a plain text file containing the following code:

PHP Code:


<?php print 'Oops!  This server is vulnerable to attack!'; ?>

Save and rename it to vuln.php.rar, then upload it somewhere on 'your' server.

Then, run it in your browser by entering the URL in the browser's addy bar.

If the page shows the message:

Oops! This server is vulnerable to attack!

..you should be alarmed!

If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...

I added those extra MIMEs just to play it safe -- and there are others that need to be addressed -- but that should fix the immediate unspecified problem...

**Julian Muñoz** · 05-29-2006, 10:13 PM

I'm not using apache but I tried what you posted anyway.... everything seems alright

**Vin DSL** · 05-30-2006, 12:50 AM

Originally Posted by Julian Muñoz

I'm not using apache but I tried what you posted anyway.... everything seems alright

Heh! Good man!

Yes, this is an Apache 'problem'... actually a Apache/PHP problem, but we'll let Ron figure that out... if he's smart enough.

Maybe he can supply Jag with some more POCs...

**jbp2003** · 06-02-2006, 07:14 PM

Originally Posted by Vin DSL

Heh! Sorry about that! I've been busy upgrading my SquirrelMail install today, and forgot about this...

Okay, to see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...

Create a plain text file containing the following code:

PHP Code:


<?php print 'Oops!  This server is vulnerable to attack!'; ?>

Save and rename it to vuln.php.rar, then upload it somewhere on 'your' server.

Then, run it in your browser by entering the URL in the browser's addy bar.

If the page shows the message:
..you should be alarmed!

If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...

I added those extra MIMEs just to play it safe -- and there are others that need to be addressed -- but that should fix the immediate unspecified problem...

Thanks Vin.
I tried it on MY server (he-he) and I got the "alarming" message. Added your suggestions to the .htaccess and now it just asks to download it. Time to go check the resold accounts...

Thanks again. I hate those vulnerablities to unspecified attacks.

Jeff

**amazing** · 06-02-2006, 09:48 PM

Hi Vin

Tried it on mine and also got the "alarming" message!
Changed the .htaccess and now is fine. Like Jeff I'll have to check the resolds.

Thanks for your suggestion.

**Highway of Life** · 06-02-2006, 11:01 PM

For those of us who have several sites, wouldn't it make more sense to put those lines in the httpd.conf file instead of an .htaccess?

**Ron** · 06-03-2006, 01:12 AM

My browser displays the contents (text) of the file, it doesn't execute the php, and I haven't done anything to change anything in .htaccess.

Maybe my server is set up a bit differently than yours, or maybe I'm too stupid to figure it out. Either way. Since I don't allow people to upload any files to my server that have a vulnerable extension... I guess I'm safe. Or ignorant. Either way, I'm blissful.

**Vin DSL** · 06-03-2006, 01:22 AM

Originally Posted by Highway of Life

For those of us who have several sites, wouldn't it make more sense to put those lines in the httpd.conf file instead of an .htaccess?

Bingo! I was wondering if anyone would pick up on that!

Yes, this could easily be fixed by mapping it server-wide, but as I was recently reminded, it's not my server...

**rainboy** · 06-03-2006, 01:38 AM

Time for VPS Vin ? Or rather go dedicated?

**Vin DSL** · 06-03-2006, 01:58 AM

Originally Posted by rainboy

Time for VPS Vin ? Or rather go dedicated?

I don't need a server -- I'm resting my feet on a Slackware box -- hasn't gone down in, like, three years, except for power outages.

What I need is an OC48 connection (and a diesel UPS)...

Know where I can find one cheap?

OMG!!! Where is all this dust coming from???

**Vin DSL** · 06-03-2006, 02:27 AM

Hey, I was thinking...

I've been upgrading Portable Firefox to 1.5.0.4 tonight. Heh! I used the profile from my 1.0.8 (ax) nightly, and it booted up just fine!

Anyway, maybe I could put my 'server' on a thumbdrive, and plug it in down at the public library or something. They'd never know, right?

No reason to lug the whole box around...

**rainboy** · 06-03-2006, 03:01 AM

Vin,

some Datacenters do have free tours, those servers have USB nowerdays aswell *hint* *hint*

LinkBack

Thread Tools

Display

[Security Patch] Sorry, I don't have time to mess around right now...

Bookmarks

Bookmarks

Posting Permissions