[pmwiki-users] Re: Moving PmWiki session out of /tmp

Ben Wilson dausha at gmail.com
Tue Nov 29 09:00:16 CST 2005


The hack I am discussing is not related to PmWiki. The XSS (Cross-server 
scripting) hack is a weakness in pre-4.2 (IIRC) versions of PHP. I read 
an advisory that said that >4.2 has that fix.

What the hacker has been doing is manipulate the XSS to download a 
binary that allows him to run his own evironment--effectively bypassing 
security. With that shell in place, he then tries to hid files in /tmp 
(usually by using directory names such as '. . .' or '   '). Into those 
directories he puts his target email addresses, then launches. 
Fortunately, the web host has caught the outbound spike and blocked the 
messages. I've since implemented a set of scripts that blocks his files. 
Part of that is based on MD5 hashing his binary, and other techniques.

What XSS does, as I recall, is allow somebody to execute a script on 
another server from your server--giving the hacker the web server's 
permissions. This allows him to install and run scripts in the /tmp 
directory.

Granted, I've been hardening that server--everything except setting up a 
chroot jail for Apache.

Ben




More information about the pmwiki-users mailing list