Page 2 of 2 FirstFirst 12
Results 26 to 33 of 33
  1. #26
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    It concerns me that a similar exploit happened in the past.. the similarities are quite shocking. Makes you wonder what the previous fix was like and if this one was more solid.

    http://www.milw0rm.com/exploits/4556
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  2. #27
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by MikeDVB View Post
    If you're not going to run it as the owner of the file, or as some other central user (www, nobody, etc) how would you suggest running a file?
    My personal preference? Each actual user on the system having two users, one who owns the files (and can log in via SFTP or somesuch) and another to provide the context for the executable scripts. That'd give the user fine-grained control over what the website's dynamic scripts can write to (contrast to suPHP's "everything") while still providing a nice, segregated container for the scripts to run in (contrast to mod_php, one user gets owned and everything that Apache's uid has access to, the malicious code does too).

    The thing you have to note about this exploit is that it is an exploit in LSWS itself - the PHP isn't even processed through LSAPI/PHP as the web server is just grabbing the file itself and then making the contents available. I didn't test, but I'd venture to say that even with 644 or 640 the exploit would still allow the grabbing of the file contents whether you're running suEXEC or not.
    I think the permissions claim is that if you're running PHP su'd, then the config.php could be owned by the user PHP is running at, and have restrictive permissions. It's my understanding that everything except Apache's ITK MPM, static files are served under the context of the user the web server's running at. That means that with the above restrictive permissions, LSWS should just return a 403 response.
    I used to run the oldest commercial Mumble host.

  3. #28
    Join Date
    May 2009
    Location
    London, United Kingdom
    Posts
    472
    Quote Originally Posted by MikeDVB View Post
    If you're not going to run it as the owner of the file, or as some other central user (www, nobody, etc) how would you suggest running a file?

    The thing you have to note about this exploit is that it is an exploit in LSWS itself - the PHP isn't even processed through LSAPI/PHP as the web server is just grabbing the file itself and then making the contents available. I didn't test, but I'd venture to say that even with 644 or 640 the exploit would still allow the grabbing of the file contents whether you're running suEXEC or not.

    And yes, there is a fix out for LSWS, 4.0.15.
    If the config file was chmod to 600 or 640(as you said above) it wouldn't work. You would get a forbidden(403) error saved instead of the real config.php

    @felosi - you are right. They should have fixed it ages ago, back then when thedefaced group found that bug in the first place. I definitely gave up on LSWS now. <3 Lighttpd and nginx
    Last edited by KnownSRV; 06-13-2010 at 02:50 PM.

  4. #29
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by CodyRo View Post
    It concerns me that a similar exploit happened in the past.. the similarities are quite shocking. Makes you wonder what the previous fix was like and if this one was more solid.

    http://www.milw0rm.com/exploits/4556
    Ouch, I didn't notice this was (apparently) a regression. That kinda makes it worse in my humble, uneducated opinion.
    I used to run the oldest commercial Mumble host.

  5. #30
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by fwaggle View Post
    Ouch, I didn't notice this was (apparently) a regression. That kinda makes it worse in my humble, uneducated opinion.
    Yea, I wonder if they were working on 4.x in their VCS and didn't patch the 4.x releases.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  6. #31
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by CodyRo View Post
    Yea, I wonder if they were working on 4.x in their VCS and didn't patch the 4.x releases.
    Mistakes happen... Admittedly I've done something similar while developing software.

    I've seen worse with PHP (the language, not scripts developed with it)
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  7. #32
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by MikeDVB View Post
    Mistakes happen... Admittedly I've done something similar while developing software.

    I've seen worse with PHP (the language, not scripts developed with it)
    The issue shouldn't have existed in the first place - it's not open source however throwing a null byte followed by an extension shouldn't be able to manipulate the web server and it's concerning that such a trivial issue even existed is concerning (not only existed, but was previously reported and patched)!

    Comparing PHP to a web server is silly, a more valid example would be NGINX's recent fumble or things of that nature. We're also crossing the boundaries of open source vs. closed sourced argument, but I'd rather not go there.

    The point I was making earlier was this was an issue previously (2007) and seemingly wasn't ever patched in the 4.x branch. That scares me - not the fact that there was an exploit.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  8. #33
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,196
    Quote Originally Posted by CodyRo View Post
    The issue shouldn't have existed in the first place
    I agree.

    Quote Originally Posted by CodyRo View Post
    Comparing PHP to a web server is silly
    I wasn't comparing PHP and a web server - I was comparing the development of two different pieces of software. I was on my phone so admittedly I did cut my post short but the point I was making was that I've seen bugs in 5.1.X that were patched and showed up again in 5.2.X or even issues that were in 4.X.X that came back up in 5.X.X. Numerous times I've seen bugs that shouldn't have happened crop up again and again Heck I've seen a bug fixed in one minor revision for it to come back 2 or 3 minor revisions later

    Quote Originally Posted by CodyRo View Post
    a more valid example would be NGINX's recent fumble or things of that nature. We're also crossing the boundaries of open source vs. closed sourced argument, but I'd rather not go there.
    I agree - it is difficult to compare Open and Closed source - the only point I was trying to make is that developers are human and they're bound to make mistakes. If humans were perfect then software would be perfect and we wouldn't have these sort of issues in LSWS, PHP, or any other open or closed source software.

    Quote Originally Posted by CodyRo View Post
    The point I was making earlier was this was an issue previously (2007) and seemingly wasn't ever patched in the 4.x branch. That scares me - not the fact that there was an exploit.
    Have you tested every 4.x version - perhaps it was patched and then the issue re-occurred... I don't know - the thought did cross my mind to test them but I don't feel like spending the time to do it

    While I do agree with you that if it was patched in one version it should have also been fixed in another but the fact of the matter is - as I have said above - we're all human and we make mistakes
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,700 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Paypal got Hacked or my paypal acct got hacked
    By chefwong in forum Web Hosting Lounge
    Replies: 14
    Last Post: 09-23-2008, 02:48 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Think I've been hacked
    By cfaice in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-02-2005, 11:12 PM
  4. Hacked or not?
    By BooBoo in forum Dedicated Server
    Replies: 1
    Last Post: 12-13-2002, 02:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •