[pmwiki-users] Re: Moving PmWiki session out of /tmp
dausha at gmail.com
Tue Nov 29 09:00:16 CST 2005
The hack I am discussing is not related to PmWiki. The XSS (Cross-server
scripting) hack is a weakness in pre-4.2 (IIRC) versions of PHP. I read
an advisory that said that >4.2 has that fix.
What the hacker has been doing is manipulate the XSS to download a
binary that allows him to run his own evironment--effectively bypassing
security. With that shell in place, he then tries to hid files in /tmp
(usually by using directory names such as '. . .' or ' '). Into those
directories he puts his target email addresses, then launches.
Fortunately, the web host has caught the outbound spike and blocked the
messages. I've since implemented a set of scripts that blocks his files.
Part of that is based on MD5 hashing his binary, and other techniques.
What XSS does, as I recall, is allow somebody to execute a script on
another server from your server--giving the hacker the web server's
permissions. This allows him to install and run scripts in the /tmp
Granted, I've been hardening that server--everything except setting up a
chroot jail for Apache.
More information about the pmwiki-users