[pmwiki-users] Vulnerability being exploited

Crisses crisses at kinhost.org
Fri Dec 22 05:44:12 CST 2006


On Dec 21, 2006, at 7:03 PM, Wade Hudson wrote:

> Dear pmwiki users:
>
> On my site, a vulernability is being exploited on the top-level  
> script. About ten times a day, I receive spam that includes a  
> number as the username and then has "@users.hostname.net" as the  
> domain name.
> My web host tells me: The mail logs suggest that this message was  
> indeed generated on our Web server, and the web logs turn up...  
> something that looks like the (ab)use of a script on your own site,  
> corresponding to the message time exactly:
>
> 193.108.252.170 - - [20/Oct/2006:14:51:12 -0700] "POST /pmwiki.php  
> HTTP/1.1" 302 16 "http://sitename/pmwiki.php" "Mozilla/5.0  
> (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523"
>
> You need to close the exploit one way or another. We've had to  
> disable Web scripts recently because they were being used for  
> massive spamming and were bringing our whole Web server down, so  
> it's probably just a matter of time before yours is more  
> aggressively exploited.
>
> Looking more closely, the URL that's getting used is just / 
> pmwiki.php, which is the central top-level script for the site
> I am a relative novice. A friend set this site up for me. I think I  
> know how to upload files to the site using WinSCP, which is  
> configured to connect to the website when I log in, but that's  
> about it. I could edit a particular file with precise instructions.  
> So please be as simple and step-by-step as you can with your advice.
>
> Also, if one of you might be available for one-on-one guidance,  
> that might be helpful, unless what I need to do is very easy.
>
> Thanks,
> Wade
>

Hi, Wade,

EVERYTHING runs through the top-level script.  When you see http:// 
www.example.com/pmwiki.php/Main/HomePage -- it's still running  
through pmwiki.php.


so -- here's what we need to know:

What version are you running -- see page PmWiki/PmWiki on your site.   
Compare it with the latest release numbers at the pmwiki.org site --  
you likely have an old version.

What recipes are you using -- see the cookbook folder when you SCP to  
the site and give us a list of what's in there, or match up each  
recipe with the cookbook area of pmwiki.org --> each script may be  
updated from the version you're running.

The other places that there may be customizations that would make  
your site vulnerable is in the skins used and the local/  
configuration folder...

Suggestions:
upgrade the site - you could have an older version of PmWiki with  
known vulnerabilities that have been fixed.
upgrade any recipes used - again, maybe you're using recipes that had  
vulnerabilities that are known
give us the URL, so we can look at the site and make suggestions for  
how to improve your security

I'd say take everything one step at a time --
backup --> as easy as downloading everything to a safe directory on  
your home computer in case something breaks
disable recipes
upgrade pmwiki from pmwiki.org
re-download each recipe from pmwiki.org and install it
enable each recipe one at a time -> test if it works
if there's problems with anything, let us know.

If you want any help from the list in general, you might want to give  
us the URL for the site.  If you want assistance, just ask.  If you  
want to hire someone to explicitly take care of it for you (in a  
contract-for-hire way), I'm one of the people on the list available  
for hire -- I'm sure there are others.  I advise and give away ideas  
for free: I research, program, and do for money ;)

Crisses









More information about the pmwiki-users mailing list