[pmwiki-users] pmwiki exploit
Patrick R. Michaud
pmichaud at pobox.com
Tue Sep 5 09:32:33 CDT 2006
On Tue, Sep 05, 2006 at 04:13:36PM +0200, Joachim Durchholz wrote:
> Simone Rota schrieb:
> > A pmwiki exploit is reported here:
> >
> > http://isc.sans.org/diary.php?storyid=1672
> >
> > it appears only to affect systems with register_globals on
>
> The bad news is that the people who're exploiting this are also trying
> to exploit kernel vulnerabilities and gain root access.
>
> The good news (beyond the register_globals hack) is that it isn't
> reported for PmWiki above 2.1.19.
Well, since as of 24 hours ago PmWiki 2.1.19 was the latest version
(and is vulnerable), that's not really saying much. :-)
> The problem is that it's a single report, which is based on anonymous
> sources, so it could be a red herring. If it's a valid alarm, it doesn't
> give details about the actual security holes involved, so fixing them
> could take more effort and time than usual.
It's a valid alarm, I've been able to duplicate the vulnerability on
my systems in the 2.1.20 release. 2.1.21 should definitively close it.
(But again, for sites with register_globals disabled, it's already
closed.)
> 1) Disable register_globals where I can,
> 2) upgrade to PmWiki-latest (2.1.21) where I cannot, and
> 3) disable PmWiki on those servers that really, really need to be
> secure, until PM comes around with a fuller analysis of the
> situation.
Totally agreed. A fuller analysis is forthcoming. In fact,
it's very likely that I'll be creating a "site analysis tool"
on pmwiki.org that people can use to analyze their site for
potential vulnerabilities and setting improvements.
Pm
More information about the pmwiki-users
mailing list