hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : litespeed hacked?
Reply

Forum Jump

litespeed hacked?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Mar 2010
Posts: 43

litespeed hacked?


this legit and real?

frind showwd me it just now on msn

http://************.org/forums/topic...-byte-exploit/



Sponsored Links
  #2  
Old
Junior Guru Wannabe
 
Join Date: Jun 2010
Location: Phoenix, AZ, USA
Posts: 30
This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.

  #3  
Old
Web Hosting Master
 
Join Date: Mar 2008
Posts: 1,715
It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.

It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.

__________________
Jamie @ Sabrienix
Now with Mumble Hosting!

Sponsored Links
  #4  
Old
******* Unleaded
 
Join Date: Feb 2004
Posts: 3,829
Quote:
Originally Posted by fwaggle View Post
It's not really a "proof of concept" considering it's got an actual exploit code with it.
That's the definition of "proof of concept" as commonly understood in the security research community.

__________________
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com

  #5  
Old
Web Hosting Master
 
Join Date: Jun 2004
Location: Oregon
Posts: 1,233
just tried with the latest Litespeed version and an older version, both doesn't work.
anyone find the expoit works?

  #6  
Old
Aspiring Evangelist
 
Join Date: Aug 2002
Location: Milton Keynes
Posts: 352
Yup, just confirmed this works

  #7  
Old
Web Hosting Master
 
Join Date: Mar 2008
Posts: 1,715
Quote:
Originally Posted by plumsauce View Post
That's the definition of "proof of concept" as commonly understood in the security research community.
In my mind, a "proof of concept" would be a mostly harmless exploit, something without any payload - you can download the config.php of any webapp you desire (that's hosted on LSWS) with that script, that's hardly harmless.

Meyu: Define "doesn't work"?

__________________
Jamie @ Sabrienix
Now with Mumble Hosting!

  #8  
Old
Web Hosting Master
 
Join Date: Jun 2004
Location: Oregon
Posts: 1,233
it actually did work...hope they have it fixed soon.

  #9  
Old
Web Hosting Master
 
Join Date: Mar 2008
Posts: 1,715
BTW if mod_security works on litespeed, I'd imagine it's probably trivial to write a rule to block this - not sure on that though.

I'm guessing anything that includes %00 would work? Someone more familiar with mod_security than me could probably confirm it.

__________________
Jamie @ Sabrienix
Now with Mumble Hosting!

  #10  
Old
Web Hosting Master
 
Join Date: Jun 2004
Location: Oregon
Posts: 1,233
maybe this
Code:
SecFilterCheckURLEncoding On
SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"

  #11  
Old
Web Host Extraordinaire!!!
 
Join Date: Dec 2007
Location: Indianapolis, Indiana USA
Posts: 15,088
I tested this against 4.0.13 and 4.0.14 both x86 and x64 and the exploit doesn't appear to be affecting either of these builds.

Perhaps it only affects older/outdated software (i.e. it should have been kept up to date).


Quote:
Originally Posted by drspliff View Post
Yup, just confirmed this works
Quote:
Originally Posted by meyu View Post
it actually did work...hope they have it fixed soon.
What version and architecture?

  #12  
Old
Premium Member
 
Join Date: Apr 2007
Location: United Kingdom
Posts: 1,660
Out of interest, what version are you guys running?

I just tried it on 4.0.14 and it didn't work.

__________________
EZPZ Hosting - Dependable and Affordable UK and US Web Hosting
LiteSpeed Powered cPanel Shared with R1Soft and Softaculous | Budget VPS, Managed VPS and Dedicated | Shoutcast
Reseller Hosting Specialists | WHMCS-Based End User Support | Unlimited SSLs | CloudFlare
99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee |

  #13  
Old
Junior Guru Wannabe
 
Join Date: Jul 2009
Posts: 69
Nothing on 4.0.14 here, too.

  #14  
Old
New Member
 
Join Date: Jun 2010
Posts: 2
4.0.14 is vulnerable under my tests.
bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )


-05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
[.] webserver accepted the request
[.] <censored>:80 is running LiteSpeed
[+] file (test.php.txt) has been saved.
-05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
<?php
$super_secure_password = "vulnerable";
?>

Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.

Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.

  #15  
Old
Aspiring Evangelist
 
Join Date: Mar 2009
Location: /home/khunj
Posts: 392
Just add this to 'Request Filter' at the server level:

Name : NULLBYTE
Action: deny,log
Eabled: yes
Rules Definition: SecRule REQUEST_URI "\x00"

Restart LS.

__________________
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Paypal got Hacked or my paypal acct got hacked chefwong Web Hosting Lounge 14 09-23-2008 02:48 PM
Gmail has been hacked. Therefore Paypal and eBay have been hacked as well. HELP trexie Web Hosting Lounge 77 04-03-2007 09:57 AM
Think I've been hacked cfaice Hosting Security and Technology 2 12-02-2005 11:12 PM
Hacked or not? BooBoo Dedicated Server 1 12-13-2002 02:01 PM

Related posts from TheWhir.com
Title Type Date Posted
HostGator Says Reports of a Server Breach by CaLLSTaCK are a Hoax Web Hosting News 2014-10-23 11:57:54
Hostabulous Listing 2014-10-22 09:49:07
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
Web Hosting Sales and Promos Roundup – July 19, 2013 Web Hosting News 2014-05-23 15:42:56


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?