Mailing List Archive

site defaced
My website was just defaced, and I have not yet had a chance to
investigate the exact causes. The script-kiddie was able to upload a
php shell creation script + php-explorer and others.

I installed mediawiki in the last two weeks, and the folder is now
gone. I'm wondering if mediawiki is known to be secure with
allow_url_fopen set to on? Are there any known vulnerabilities in
mediawiki? I do not know the exact vulnerability that caused my site to
be owned, and there may have been mulitple vulnerabilitites, I'm just
asking what if any info you might have in this regard.

Thanks,
Greg

--
FREePHILE
We are 'Open' for Business
Free and Open Source Software
http://www.freephile.com
(978) 270-2425
If you are smart enough to know that you're not smart enough to be an
Engineer, then you're in Business.
Re: site defaced [ In reply to ]
Did you have file uploads enabled? If so, did you ensure that PHP was
disabled in your upload folder? If not, the script-kiddie could easily have
uploaded some malicious PHP and executed it.


Ryan


On August 6, 2004 11:59 am, Greg Rundlett wrote:
> My website was just defaced, and I have not yet had a chance to
> investigate the exact causes. The script-kiddie was able to upload a
> php shell creation script + php-explorer and others.
>
> I installed mediawiki in the last two weeks, and the folder is now
> gone. I'm wondering if mediawiki is known to be secure with
> allow_url_fopen set to on? Are there any known vulnerabilities in
> mediawiki? I do not know the exact vulnerability that caused my site to
> be owned, and there may have been mulitple vulnerabilitites, I'm just
> asking what if any info you might have in this regard.
>
> Thanks,
> Greg
Re: site defaced [ In reply to ]
Greg Rundlett wrote:
> My website was just defaced, and I have not yet had a chance to
> investigate the exact causes. The script-kiddie was able to upload a
> php shell creation script + php-explorer and others.
>
> I installed mediawiki in the last two weeks, and the folder is now
> gone. I'm wondering if mediawiki is known to be secure with
> allow_url_fopen set to on?

MediaWiki explicitly sets allow_url_fopen to off on the main entry
point, and we've made some effort to be careful about includes and
whatnot when calling the other files.

As far as I know, it should be safe.

I notice you posted a note about uploading a couple weeks ago; was
uploading allowed on your wiki? The default configuration when uploading
is enabled uses an extension whitelist which should prevent executable
PHP scripts from being uploaded, but if Apache wasn't configured to
prevent running of scripts in the upload directory it's conceivable that
there's a way to get things through it with a pathological filename. If
this is the case there should be some evidence in the httpd logs.

> Are there any known vulnerabilities in
> mediawiki? I do not know the exact vulnerability that caused my site to
> be owned, and there may have been mulitple vulnerabilitites, I'm just
> asking what if any info you might have in this regard.

I'm not aware of any PHP insertion vulnerabilities in the current 1.2 or
1.3 release versions, but if you find any *please* let us know.

-- brion vibber (brion @ pobox.com)
Re: site defaced [ In reply to ]
Greg Rundlett wrote:

> My website was just defaced, and I have not yet had a chance to
> investigate the exact causes. The script-kiddie was able to upload a
> php shell creation script + php-explorer and others.
>
I still have not traced the exact cause, but *have ruled out MediaWiki*.

Thanks Brion for your assitance, and a great contribution to free software!

- Greg Rundlett