Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Greg Rundlett wrote: > My site was owned and defaced. It looks like the mediawiki script > that I recently installed to create a free-software community may have > opened the 'door' to the site being compromised. This is unconfirmed > however. I ruled out the possibility of mediawiki being the one to blame. Brion Vibber (author) was very helpful in responding to the possibility of a problem, and actually discovered and patched a potential security issue in his project. My ISP didn't have logs going back far enough to trace the exact events at the time of the initial intrusion (which was discovered to be 5/18/04). However, based on the fact that the first files appeared within my OSCommerce installation, and there were more than one unpatched vulnerability in OSCommerce, I am drawing the conclusion that OSCommerce was the weak link. I checked through the history of osCommerce, and there have been a number of vulnerabilities found (and fixed) throughout the projects history. I was using Preview Release 2.2-CVS, and it is likely that the attacker was able to use a SQL injection, or PHP injection vulnerability in osCommerce to introduce the phpexplorer.php file. It is almost certain that the cracker was able to uncover my database credentials (since once you can look at the php sources, you can view the database password in clear text in the configuration file). I didn't use OSCommerce for actual order processing, it was more of a showcase. For that reason, I didn't maintain vigilence on the vulnerabilities announced by the project, nor did I maintain the sources up to date. I hope to alert people not to make that mistake if they want to avoid being cracked. This is especially important if you ARE using it to do transactions and/or are using it for consulting clients. In the past, I tended to throw a lot of stuff up on my website, to play with it, and experiment to see what other people liked. I had over 20,000 files on my site. The next version won't be so unweildly, or vulnerable.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |