Help - Search - Members - Calendar
Full Version: SECURITY WARNING - PHP, PEAR and Application Level
The Planet Forums > Security > General Security
Easytouch
Aug 23 2005, 06:16 AM
Hi,

Please focus on your Security thougths not only at the Linux deeper Layers like SSH, Firewall. Also take care of the Scripts and application level.

See this article about a bug in PEAR that gave script kiddies the possibility to change the index.php file of one of our customers:
http://news.netcraft.com/archives/2005/07/...c_exploits.html

German Version:
http://www.heise.de/newsticker/meldung/62827

So one question:
How do you guys check for security on application level ofr things like
- PostNuke
- WordPress
- Drupal
- Serendipity
- phpAdsNew
- phpWiki
- phpMyFAQ
- all the others, and how are you sure that all customers use the latest patches of open source scripts and have no flaws in self written Skript stuff?

I think its interesting, because it can hit our reputaion as a small hosting business, if some customer has a bad webform, or false Permissions for his Linux files, and your server stand there as a spam bomd or script kiddie vulnerable.

Pleasse share your thoughts and recommendations.
Easytouch
Aug 28 2005, 08:00 AM
The Drupal project has released version 4.6.3 of its open-source content management platform. Drupal 4.6.3 is a maintenance release that fixes problems reported using the bug tracking system. Drupal 4.6.3 also fixes a new security vulnerability in the third-party XML-RPC library that Drupal ships with. Since the same bug is also present in the Drupal 4.5 series, Drupal 4.5.5 is released as well. If you cannot upgrade at once, we strongly suggest that you remove the xmlrpc.php file from your Drupal installation's root directory. The xmlrpc.php file is used only for Drupal to receive XML-RPC calls.
Source: http://drupal.org/drupal-4.6.3

If you have multiple customers using drupal you have to locate all xmlrpc.php files on your server.

On the Unix shell (f.e. through putty) run the following commands:

# updatedb (updates the locate search database)
# locate xmlrpc.php (finds all locations of the file)

Rename or backup and delete the file xmlrpc.php

Inform your customers to upgrade drupal to the latest release.
REBIS
Aug 28 2005, 04:24 PM
It's quite complicated, especially when companies such as Ensim bundle installation scripts such as PowerTools but fail to update. Makes it too easy for end users to install insecure apps and managing them can become a nightmare.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.