From: Nathan <na...@en...> - 2005-02-12 21:32:26
|
Damian, I have tried responding directly to you twice at da...@da... and have not heard back. Just wanted to make sure that was the correct e-mail address. Nathan Damian Parker wrote: > On Sat, Jan 29, 2005 at 11:59:01PM -0600, Nathan wrote: > >>Hi, my TikiWiki installation was recently compromised per the issue >>mentioned in the Security alert mentioned here: >>http://tikiwiki.org/tiki-read_article.php?articleId=102 >> >>Of the two sites that I host using TikiWiki only one of them was >>compromised and has since been taken care of. It appears my site was >>used in a phishing scheme targeted at eBay users. >> >>Being in the IT profession, but not a programmer I would like to >>understand a little more the details of the vulnerability. Also since a >>friend and I share a server he is now very leary of TikiWiki and is >>trying to get me to switch to some other solutions strictly because of >>security concerns. Nothing like having your server shut down for 30 >>hours by your host to leave a bad taste in your mouth. A comment a >>programmer made at work the other day to the two of us "I looked at the >>TikiWiki PHP code awhile back and it has a lot of security issues" >>didn't help the situation any. >> >>My questions are as follows: >> >>What actions within TikiWiki did the attacker have to do to write files >>to the temp directory? (I noticed that uploading pictures to galleries >>seems to create some) > > > Any upload process to temp or img/wiki_up (wiki image uploading) > > >>Wouldn't the attacker be limited to the rights that the Apache user or >>group has if they executed a PHP script from this location? And if so >>how could they gain control of a machine as mentioned in the article and >>as others have indicated happened to their servers? > > > By uploading a complete rootkit and then executing that to get "root" user access > > >>Lastly, how extensive was the review of the code for security concerns >>and is there anything yet to do? > > > Since 1.8.5 release there was another hole found, I wasnt happy with the release of 1.8.5 being pushed into the world by mose and others, I do believe it was released far too soon. As soon as those holes were discovered I stopped the products on my tikihost.net shop, they are still set to sold out status because I dont believe they are all fixed. > > I think in the meantime the only sensible way of securing tiki effectively, is in the Apache virtual host entry, blocking EVERY directory and then only allowing access to those which really need it exclusively. That method seems to be working quite effectively now on the tikihost.net servers. > > Hope it helps, but if you want more details, feel free to email me off list. > |