[TriLUG] I've got intruders!!
Neil L. Little
nllittle at vnet.net
Wed May 17 21:51:40 EDT 2006
Uh oh,
I'm not entirely positive, but I believe that the version of webgui
currently installed falls in that range. Thanks Rick!
On positive note, I ran chkrootkit today and nothing was detected. Small
victories I'll take.
Neil Little, WA4AZL
JARS Forever!! ...er TRILUG Too!!
> On 5/16/06, Neil L. Little <nllittle at vnet.net> wrote:
>
>>> There were no PHP scripts running.
>>> The HTTP server was running WebGUI, a content management application
>>> based on Perl.
>>
>>
>
>Perl apps are quite susceptible to security exposures, not only the
>usual things like sql injection, but also perl specific feature
>exploitations.
>
>One dangerous feature of perl is the way that filenames are overloaded
>in the open() function to do IPC, in perl open("ls |") will actually
>run an ls command and return a pipe handle so that you can read the
>output of the command.
>
>If a perl cgi takes something from the user, and interprets it as a
>file name without first scrubbing it, a malicious user can execute
>arbitrary code with the permissions of the cgi process. This was the
>basis of a pretty nasty exposure in awstats which typically got
>exploited by using a url which used wget to download a zombie program
>and then execute it.
>
>A google of "webgui security" turns up a vulnerability which was
>discovered a few months ago:
>http://www.securityfocus.com/bid/16612
>
>This seems to affect webgui 6.3.0-6.8.5
> -- Rick DeNatale IPMS/USA Region 12 Coordinator
> http://ipmsr12.denhaven2.com/ Visit the Project Mercury Wiki Site
> http://www.mercuryspacecraft.com/
>
More information about the TriLUG
mailing list