SitePoint Sponsor

User Tag List

Results 1 to 7 of 7

Hybrid View

  1. #1
    Hi there! Owen's Avatar
    Join Date
    Jan 2000
    Location
    CA
    Posts
    1,165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some hackers hacked into my website (my guestbook actually) -- they didn't do any damage (just left the word "hacked?"). I knew the guestbook was easily hacked and so did the writers of the software, but no one did anything about it.

    The hacked page (I left it up. And yes I know the people who sign it are lame.) http://www.pbbt.com/cgi-bin/ugb/ugb.cgi

    A clue about how stupid the makers are (and me too): http://www.pbbt.com/cgi-bin/ugb/gbad...dit&number=186 (it's a hidden gif by every entry so I can delete offensive entries.)

    All one needs to do is type the name of the file and the directory... and I'll give you 3 guesses as to what it was (and looking at the source code is cheating). I chmod'd it to 750 so don't bother trying.

    Anyway, don't forget to backup. I was lucky they didn't erase it.

    Owen

    BTW, this was the default configuration. Pretty stupid, eh?

  2. #2
    SitePoint Evangelist
    Join Date
    Jul 2000
    Location
    Warwickshire, England
    Posts
    557
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Somehow, I seem to remember all of the madrona park's products not being the best in security. UBB (even the one that used to be on SP) was vulnerable to the old "append a pipe and command" to an open exploit, which allowed anyone to run shellcommands as the owner of the script on the box with UBB installed...

  3. #3
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh yes, using pipe is exactly what I did to a site, I opened a thread at WebHosting forum, check it out
    I believe there are MANY holes are exploited through this way (pipe)
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  4. #4
    Hi there! Owen's Avatar
    Join Date
    Jan 2000
    Location
    CA
    Posts
    1,165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes... it's not good stuff.

    How does the pipe and command exploit work? I use pipes for other scripts I use on my site and probably should make them secure.

    Though having an unencrypted password on a publically accessable website, isn't the smartest thing in the world to do.

    Owen

  5. #5
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That site, the script just get the input, then perform a whois command: whois $input (no check performed on $input) then print out ANYTHING it got (even worse!)

    say $input = | ls -l
    A nice/harmless one!

    Anyway, by having this exploit, the site opens a hole for people on the shared server (I actually did a listing of all sites on that server)

    Too bad I didn't know much of Linux commands to do some interesting experiments!
    Check out: neworder.box.sk if you're interested in security stuff.
    <Edited by 123finder.com on 12-03-2000 at 03:35 PM>
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  6. #6
    SitePoint Evangelist
    Join Date
    Jul 2000
    Location
    Warwickshire, England
    Posts
    557
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In perl, as a general rule, when I process the get or post request, I strip the pipes.

    Another common mistake is fogetting to strip the pipes out of anything with "open". E.g.
    open(something, "something|echo you got hacked>index.htm");

    As 123finder pointed out, there are several good security sites around. If you're interested in this sort of thing, you may want to consider signing up to BugTraq.
    <Edited by PeterW on 12-03-2000 at 03:53 PM>

  7. #7
    Hi there! Owen's Avatar
    Join Date
    Jan 2000
    Location
    CA
    Posts
    1,165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got it. It makes sense. Fourtunately, all my programs use pipes so I grep'd them out anyway. I also never execute ANY user input even to open files. (I always look up in a db first, then verify file exists and is proper format, then open.)

    Owen


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •