[pmwiki-users] Need some help with a wiki.d security breach

Patrick R. Michaud pmichaud at pobox.com
Thu Nov 2 10:11:18 CST 2006


On Thu, Nov 02, 2006 at 10:49:50AM -0500, John Coxon wrote:
> My site running pmwiki-2.1.23 has been invaded by an email spam  
> engine at http://www.coxontool.com/wiki.d/email.php.stop (.stop added  
> to, well, stop the spamming - 1,381 meg outgoing just this morning).
> [...]
> I need some help figuring out how this guy got in and how to keep him  
> out.
> 
> My site is password protected. If the password were somehow obtained  
> would that enable one to install the script in wiki.d through an  
> edit? 

Not as written here.  PmWiki would've changed the page name to be
'Email.Php', as well as written the file in the page store format
(which protects against raw HTML or PHP scripts).  So, the file
arrived in wiki.d/ via some other vector.

What about the .htaccess file that is supposed to be in wiki.d/ --
is it there, or has it disappeared?

> Everything looks ok via ?action=diff for all pages modified  
> since this guy got in so I'm thinking he came in some other way. But  
> if so why put the script in the wiki.d directory?

Because, on your site at least, it's easily accessible from the web
via the wiki.d/ url.  (Normally we try to block that url by using
the .htaccess file, but that doesn't seem to be having any effect
at the moment.)

> Would it be helpful if I post the offending script here? 

The script itself doesn't seem to be the problem -- it's whatever
allowed the script to appear in wiki.d/ .  So no, I wouldn't post
it here.

Pm




More information about the pmwiki-users mailing list