From owner-freebsd-security@FreeBSD.ORG Sun Dec 26 00:40:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32F2016A4CE for ; Sun, 26 Dec 2004 00:40:12 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 840A743D49 for ; Sun, 26 Dec 2004 00:40:11 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from mail.nativenerds.com (localhost.nativenerds.com [127.0.0.1]) iBQ0ij03007228; Sat, 25 Dec 2004 17:44:45 -0700 (MST) (envelope-from estover@nativenerds.com) Received: (from www@localhost) by mail.nativenerds.com (8.12.11/8.12.11/Submit) id iBQ0ijlu007227; Sat, 25 Dec 2004 17:44:45 -0700 (MST) (envelope-from estover@nativenerds.com) X-Authentication-Warning: mail.nativenerds.com: www set sender to estover@nativenerds.com using -f Received: from 66.115.243.113 (SquirrelMail authenticated user estover); by mail.nativenerds.com with HTTP; Sat, 25 Dec 2004 17:44:44 -0700 (MST) Message-ID: <3223.66.115.243.113.1104021884.squirrel@66.115.243.113> In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net> Date: Sat, 25 Dec 2004 17:44:44 -0700 (MST) From: estover@nativenerds.com To: "Bob Ababurko" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: freebsd-security@freebsd.org Subject: Re: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Dec 2004 00:40:12 -0000 Have you run any program such as trafshowor iftop, they make that apear in my logs. > hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Dec 26 15:34:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78EB916A4CE for ; Sun, 26 Dec 2004 15:34:47 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC82A43D48 for ; Sun, 26 Dec 2004 15:34:46 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1CiPLt-0007mT-SV; Sat, 25 Dec 2004 22:45:53 -0500 Received: from 24.98.86.57 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Sat, 25 Dec 2004 22:45:53 -0500 (EST) Message-ID: <4531.24.98.86.57.1104032753.squirrel@24.98.86.57> In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net> Date: Sat, 25 Dec 2004 22:45:53 -0500 (EST) From: "Jerry Bell" To: "Bob Ababurko" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Dec 2004 15:34:47 -0000 If you haven't been running trafshow, tcpdump, ngrep or some other traffic sniffer, more than likely someone has hacked you. I believe it takes root privileges to put the interface into promiscuous mode. If this is the case, the attacker is likely sniffing for passords and/or email traffic, since this looks like a mail server. Lately, it seems that a lot of hackers are not affecting the system to the point that the owner would notice (ie changing passwords, etc), so they can hang on to it for a while. Generally, its for spamming purposes these days, but it's hard to say. Jerry http://www.syslog.org > hello all- > > and a happy holiday to all you geeks that are in front of the crt! > > I found these log messages in my logs and I am not sure what some of > them signify. > > Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 > to 200 packets/sec > Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 > to 200 packets/sec > Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled > Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled > Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 > to 200 packets/sec > > I understand the "Limiting closed port RST response". ....but what are > the promiscuous mode enabled and disabled on my NIC? I am not doing > this, so who or what is doing this. Or better yet, what does this mean? > I have a fear that this one is serious. So what I need is some > direction into finding out how this occurs and what I can do to stop it. > > thanks, > Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Dec 27 22:31:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1145116A4CE for ; Mon, 27 Dec 2004 22:31:44 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A50F43D1F for ; Mon, 27 Dec 2004 22:31:43 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from mail.nativenerds.com (localhost.nativenerds.com [127.0.0.1]) iBRMaguH012777 for ; Mon, 27 Dec 2004 15:36:43 -0700 (MST) (envelope-from estover@nativenerds.com) Received: (from www@localhost) by mail.nativenerds.com (8.12.11/8.12.11/Submit) id iBRMagPn012776; Mon, 27 Dec 2004 15:36:42 -0700 (MST) (envelope-from estover@nativenerds.com) X-Authentication-Warning: mail.nativenerds.com: www set sender to estover@nativenerds.com using -f Received: from 24.230.37.14 (SquirrelMail authenticated user estover); by mail.nativenerds.com with HTTP; Mon, 27 Dec 2004 15:36:42 -0700 (MST) Message-ID: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> Date: Mon, 27 Dec 2004 15:36:42 -0700 (MST) From: estover@nativenerds.com To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com Subject: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Dec 2004 22:31:44 -0000 I think, there is a neat exploit in the phpbb2.0.8 because I found my home page defaced one dark morning. The patch for phpBB is here. http://www.phpbb.com/downloads.php The excerpt of the log is attached. I believe the link to the described exploit is here. http://secunia.com/advisories/13239 The defacement braggen page is here filter to show the exploited FreeBSD machines that aneurysm.inc has defaced http://www.zone-h.org/en/defacements/filter/filter_defacer=aneurysm.inc/filter_system=FreeBSD/page=1/ From owner-freebsd-security@FreeBSD.ORG Tue Dec 28 01:28:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7008816A4CE for ; Tue, 28 Dec 2004 01:28:21 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id E039843D39 for ; Tue, 28 Dec 2004 01:28:20 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1Cj69n-000IDz-S3; Mon, 27 Dec 2004 20:28:15 -0500 Received: from 24.98.86.57 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Mon, 27 Dec 2004 20:28:15 -0500 (EST) Message-ID: <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> In-Reply-To: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> Date: Mon, 27 Dec 2004 20:28:15 -0500 (EST) From: "Jerry Bell" To: estover@nativenerds.com User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 01:28:21 -0000 The update for phpbb came out a while ago, and it looks like the ports were updated on 11/25/2004. Have you tried updating the ports? I think this is already addressed. On a side note, I'm suprised you didn't get hit by the worm (unless it happened before the worm came out). There is a new worm out now that attacks some weak php programming, though it's not very widespread. See http://www.syslog.org/Article10.phtml for a little more detail. I don't know if it's a worm or not, but I'm seeing people trying to attack my site pretty frequently lately. Best regards & happy holidays, Jerry http://www.syslog.org > I think, there is a neat exploit in the phpbb2.0.8 because I found my home > page defaced one dark morning. The patch for phpBB is here. > http://www.phpbb.com/downloads.php > > The excerpt of the log is attached. > > I believe the link to the described exploit is here. > http://secunia.com/advisories/13239 > > The defacement braggen page is here filter to show the exploited FreeBSD > machines that aneurysm.inc has defaced > http://www.zone-h.org/en/defacements/filter/filter_defacer=aneurysm.inc/filter_system=FreeBSD/page=1/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Dec 28 02:06:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27AC216A4CE for ; Tue, 28 Dec 2004 02:06:20 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 58C1443D48 for ; Tue, 28 Dec 2004 02:06:18 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 55729 invoked by uid 1001); 28 Dec 2004 02:06:17 -0000 Date: Mon, 27 Dec 2004 21:06:17 -0500 From: "Peter C. Lai" To: estover@nativenerds.com Message-ID: <20041228020617.GK24545@cowbert.net> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 02:06:22 -0000 This was added to vuxml on dec 22 but the vulnerability was discovered on nov. 18. On Mon, Dec 27, 2004 at 03:36:42PM -0700, estover@nativenerds.com wrote: > I think, there is a neat exploit in the phpbb2.0.8 because I found my home > page defaced one dark morning. The patch for phpBB is here. > http://www.phpbb.com/downloads.php > > The excerpt of the log is attached. > > I believe the link to the described exploit is here. > http://secunia.com/advisories/13239 > > The defacement braggen page is here filter to show the exploited FreeBSD > machines that aneurysm.inc has defaced > http://www.zone-h.org/en/defacements/filter/filter_defacer=aneurysm.inc/filter_system=FreeBSD/page=1/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Tue Dec 28 02:31:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0B4816A4CE for ; Tue, 28 Dec 2004 02:31:24 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8071C43D41 for ; Tue, 28 Dec 2004 02:31:22 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA03706; Mon, 27 Dec 2004 19:30:50 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041227190210.04f88bf0@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Mon, 27 Dec 2004 19:30:28 -0700 To: "Jerry Bell" , estover@nativenerds.com From: Brett Glass In-Reply-To: <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 02:31:24 -0000 The "PHPInclude" worm seeks out sites which are running PHP and tries to break into them by injecting unexpected data into variables. If those variables are fed without proper input checking to the include(), require(), or urldecode() functions within the script, or (worse) treated as UNIX commands, it is possible to retrieve the contents of sensitive files and/or execute arbitrary commands on the server. The same old lesson that seasoned programmers learn just before they get kicked upstairs into management, and the new young ones don't know yet: Never trust potentially hostile input. And always use "tainting" or a similar mechanism if it's available. (What? Don't know about "tainting?" You must be a C programmer.) ;-) Also see: http://www.pcworld.com/news/article/0,aid,119051,00.asp Interestingly, the worm is written in Perl, not PHP. I know for a fact that Santy.A, the version that attacked phpBB exclusively, was written in Perl, because I've captured the source in a honeypot. If it's not exactly the same code as that displayed at http://www.k-otik.com/exploits/20041222.sanityworm.pl.php what I caught is darned similar. The more generalized script is at http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php --Brett At 06:28 PM 12/27/2004, Jerry Bell wrote: >The update for phpbb came out a while ago, and it looks like the ports >were updated on 11/25/2004. Have you tried updating the ports? I think >this is already addressed. > >On a side note, I'm suprised you didn't get hit by the worm (unless it >happened before the worm came out). There is a new worm out now that >attacks some weak php programming, though it's not very widespread. See >http://www.syslog.org/Article10.phtml for a little more detail. > >I don't know if it's a worm or not, but I'm seeing people trying to attack >my site pretty frequently lately. > >Best regards & happy holidays, > >Jerry >http://www.syslog.org From owner-freebsd-security@FreeBSD.ORG Tue Dec 28 02:18:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B4BB16A4CE for ; Tue, 28 Dec 2004 02:18:33 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36F6B43D49 for ; Tue, 28 Dec 2004 02:18:31 +0000 (GMT) (envelope-from julian@elischer.org) Received: from elischer.org (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 16B917A425; Mon, 27 Dec 2004 18:18:31 -0800 (PST) Message-ID: <41D0C276.7080100@elischer.org> Date: Mon, 27 Dec 2004 18:18:30 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516 X-Accept-Language: en, hu MIME-Version: 1.0 To: Jerry Bell References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> In-Reply-To: <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 28 Dec 2004 14:37:54 +0000 cc: freebsd-security@freebsd.org cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 02:18:33 -0000 Jerry Bell wrote: >The update for phpbb came out a while ago, and it looks like the ports >were updated on 11/25/2004. Have you tried updating the ports? I think >this is already addressed. > >On a side note, I'm suprised you didn't get hit by the worm (unless it >happened before the worm came out). There is a new worm out now that >attacks some weak php programming, though it's not very widespread. See >http://www.syslog.org/Article10.phtml for a little more detail. > >I don't know if it's a worm or not, but I'm seeing people trying to attack >my site pretty frequently lately. > >Best regards & happy holidays, > >Jerry >http://www.syslog.org > might be a good idea if we "urged" users to update their phpbb a bit more vocally. From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 13:59:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB88C16A4CE for ; Wed, 29 Dec 2004 13:59:59 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C06D43D4C for ; Wed, 29 Dec 2004 13:59:59 +0000 (GMT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 1AE17530C; Wed, 29 Dec 2004 14:59:58 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 6A1E25308; Wed, 29 Dec 2004 14:59:25 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 2671CB874; Wed, 29 Dec 2004 14:59:25 +0100 (CET) To: Julian Elischer References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 29 Dec 2004 14:59:25 +0100 In-Reply-To: <41D0C276.7080100@elischer.org> (Julian Elischer's message of "Mon, 27 Dec 2004 18:18:30 -0800") Message-ID: User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on flood.des.no X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,FORGED_RCVD_HELO autolearn=disabled version=3.0.1 cc: freebsd-security@freebsd.org cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 14:00:00 -0000 Julian Elischer writes: > might be a good idea if we "urged" users to update their phpbb a bit > more vocally. ...or we could urge them to stop using PHP at all. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 14:11:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D7AE16A4CE for ; Wed, 29 Dec 2004 14:11:14 +0000 (GMT) Received: from c3po.servilla.com (c3po.servilla.com [69.44.59.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFE2943D46 for ; Wed, 29 Dec 2004 14:11:11 +0000 (GMT) (envelope-from sean@rackoperations.com) Received: from 67-41-238-27.slkc.qwest.net ([67.41.238.27] helo=[192.168.0.26]) by c3po.servilla.com with esmtpa (Exim 4.43) id 1CjeXd-0001PU-Sf for freebsd-security@freebsd.org; Wed, 29 Dec 2004 08:11:10 -0600 Message-ID: <41D2BB75.7030607@rackoperations.com> Date: Wed, 29 Dec 2004 07:13:09 -0700 From: Sean Countryman User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - c3po.servilla.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - rackoperations.com X-Source: X-Source-Args: X-Source-Dir: Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 14:11:14 -0000 You could also ask the wind to stop blowing... Like it or not, PHP is clearly a dominate language and is probably here to stay for some time. It's definitely better than some other alternatives (but I'll refrain from flames). Dag-Erling Smørgrav wrote: >Julian Elischer writes: > > >>might be a good idea if we "urged" users to update their phpbb a bit >>more vocally. >> >> > >...or we could urge them to stop using PHP at all. > >DES > > From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 14:30:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CBA816A4CE for ; Wed, 29 Dec 2004 14:30:49 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F26643D2D for ; Wed, 29 Dec 2004 14:30:49 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1CjeqQ-0001if-0J; Wed, 29 Dec 2004 09:30:34 -0500 Received: from 209.134.164.137 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Wed, 29 Dec 2004 09:30:34 -0500 (EST) Message-ID: <3741.209.134.164.137.1104330634.squirrel@209.134.164.137> In-Reply-To: <41D2BB75.7030607@rackoperations.com> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <41D2BB75.7030607@rackoperations.com> Date: Wed, 29 Dec 2004 09:30:34 -0500 (EST) From: "Jerry Bell" To: "Sean Countryman" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 14:30:49 -0000 At the end of the day, PHP isn't really the problem. The problem is that people are not taking the time to learn how to code securely given the tool they are using. I do think that PHP has had the effect of lowering the bar on what it takes to be a "web programmer", though. Jerry http://www.syslog.org > You could also ask the wind to stop blowing... > > Like it or not, PHP is clearly a dominate language and is probably here > to stay for some time. It's definitely better than some other > alternatives (but I'll refrain from flames). > > Dag-Erling Smørgrav wrote: > >>Julian Elischer writes: >> >> >>>might be a good idea if we "urged" users to update their phpbb a bit >>>more vocally. >>> >>> >> >>...or we could urge them to stop using PHP at all. >> >>DES >> >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 17:48:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4926116A4CE for ; Wed, 29 Dec 2004 17:48:21 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D81FE43D41 for ; Wed, 29 Dec 2004 17:48:18 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA23734; Wed, 29 Dec 2004 10:47:34 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041229104315.05a8f5f8@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Wed, 29 Dec 2004 10:47:33 -0700 To: "Jerry Bell" , "Sean Countryman" From: Brett Glass In-Reply-To: <3741.209.134.164.137.1104330634.squirrel@209.134.164.137> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <41D2BB75.7030607@rackoperations.com> <3741.209.134.164.137.1104330634.squirrel@209.134.164.137> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 17:48:21 -0000 At 07:30 AM 12/29/2004, Jerry Bell wrote: >At the end of the day, PHP isn't really the problem. The problem is that >people are not taking the time to learn how to code securely given the >tool they are using. In this case, the problem is really not the language but the Web itself. Preserving the state of an ongoing transaction in a secure and tamper-proof manner is a thorny problem regardless of language -- and it has gotten harder because the abuse of cookies to invade privacy has caused so many people to restrict them or turn them off. Absent a default solution that's already been honed for security, programmers will tend to cut corners or will have to learn security basics from scratch -- the hard way. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 18:53:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFDA716A4CE for ; Wed, 29 Dec 2004 18:53:35 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CCC943D41 for ; Wed, 29 Dec 2004 18:53:33 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 59438 invoked by uid 1001); 29 Dec 2004 18:53:32 -0000 Date: Wed, 29 Dec 2004 13:53:32 -0500 From: "Peter C. Lai" To: Julian Elischer Message-ID: <20041229185332.GL24545@cowbert.net> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41D0C276.7080100@elischer.org> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 18:53:36 -0000 On Mon, Dec 27, 2004 at 06:18:30PM -0800, Julian Elischer wrote: > might be a good idea if we "urged" users to update their phpbb a bit > more vocally. Or if someone had been vigilant enough to add a vuxml entry about it back in November. Waiting >30 days to update the database that portaudit uses is a bit longish, don't you think? The "urging" to which you refer is already one of the services provided by portaudit. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 18:57:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18DD716A4CE for ; Wed, 29 Dec 2004 18:57:54 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.199.47.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8C4C43D45 for ; Wed, 29 Dec 2004 18:57:53 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F0BD35119D; Wed, 29 Dec 2004 10:57:48 -0800 (PST) Date: Wed, 29 Dec 2004 10:57:48 -0800 From: Kris Kennaway To: "Peter C. Lai" Message-ID: <20041229185748.GA9560@xor.obsecurity.org> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229185332.GL24545@cowbert.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline In-Reply-To: <20041229185332.GL24545@cowbert.net> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org cc: Julian Elischer cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 18:57:54 -0000 --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 29, 2004 at 01:53:32PM -0500, Peter C. Lai wrote: > On Mon, Dec 27, 2004 at 06:18:30PM -0800, Julian Elischer wrote: > > might be a good idea if we "urged" users to update their phpbb a bit= =20 > > more vocally. >=20 > Or if someone had been vigilant enough to add a vuxml entry about it back > in November. Waiting >30 days to update the database that portaudit uses > is a bit longish, don't you think? The "urging" to which you refer is > already one of the services provided by portaudit. Remember that FreeBSD is supported by the community, so you also could have submitted the update but didn't. Kris --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB0v4sWry0BWjoQKURAic6AJ4tYQr7Nj0XDjYIuznPi8qL14Y2SACfZEGy YqYTugVYw9R7/9Xp7yDPX3g= =Ifao -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 19:32:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 675B916A554 for ; Wed, 29 Dec 2004 19:32:28 +0000 (GMT) Received: from daemon.li (daemon.li [213.203.244.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id C599243D49 for ; Wed, 29 Dec 2004 19:32:27 +0000 (GMT) (envelope-from josef@daemon.li) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by daemon.li with local; Wed, 29 Dec 2004 19:32:26 +0000 Date: Wed, 29 Dec 2004 19:32:26 +0000 From: Josef El-Rayes To: "Peter C. Lai" Message-ID: <20041229193226.GA11252@daemon.li> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229185332.GL24545@cowbert.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=_daemon.li-11335-1104348746-0001-2" Content-Disposition: inline In-Reply-To: <20041229185332.GL24545@cowbert.net> User-Agent: Mutt/1.3.28i cc: freebsd-security@freebsd.org cc: Julian Elischer cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 19:32:28 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_daemon.li-11335-1104348746-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable "Peter C. Lai" : > On Mon, Dec 27, 2004 at 06:18:30PM -0800, Julian Elischer wrote: > > might be a good idea if we "urged" users to update their phpbb a bit= =20 > > more vocally. >=20 > Or if someone had been vigilant enough to add a vuxml entry about it back > in November. Waiting >30 days to update the database that portaudit uses > is a bit longish, don't you think? The "urging" to which you refer is > already one of the services provided by portaudit. first of all, if you run a machine you care about, you should think twice before installing a software which has a bad security track as phpBB has. secondly, most of the time we do not know security issue any earlier then they get posted to bugtraq or similiar mailinglists, so why dont you track these lists yourself? sometimes we are quick on documenting security issues, sometimes we are not, but instead of complaining you should help out, if you want to improve this. you can also give me some money as additional motivation, so i dont need to go working but sit at home and improve this. greets, josef --=20 Josef El-Rayes (__) Email: josef@daemon.li \\\'',)=20 Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) --=_daemon.li-11335-1104348746-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBQdMGSVnFItmnnbU8AQK4FQf+N3xaglN+JWMcfuX6aEGhpy6SPH8kvteg pfb42ScshM4nW7gHRZ0fq7jpWq0lYdbO7YBcKYPZPzfWTBi7Jtcc7/yE9i1s3fB2 dqa5ZjEmYNzHVBupKxJRMGlkQvcAKwzjPce/kRMVyEvsSVWdZ63hhXyy3p3BOi27 CUe5OW+vtt61wU2jDxYvnruwZbA5Q54nR/tq3JqG7mH5BHtFnuET+YOL5/Inof8H Y8Kc/ImDo4SCNoW/Fs+RIB/PCWg82yIEwQ10lgo2Ghl7Qppr7l1TXNKo9aBZLBDz WGcLHtceNK2UaewxYp7XFXvrpqxz7beCMToeltjYjwc0fJ8qJ65uVA== =bxLV -----END PGP SIGNATURE----- --=_daemon.li-11335-1104348746-0001-2-- From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 20:51:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8436316A4D8 for ; Wed, 29 Dec 2004 20:51:14 +0000 (GMT) Received: from keylime.silverwraith.com (keylime.silverwraith.com [69.55.228.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1136343D4C for ; Wed, 29 Dec 2004 20:51:14 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from keylime.silverwraith.com ([69.55.228.10]) by keylime.silverwraith.com with esmtp (Exim 4.41 (FreeBSD)) id 1Cjkmq-00034w-Hq; Wed, 29 Dec 2004 12:51:16 -0800 Received: (from avleen@localhost)iBTKpFVL011829; Wed, 29 Dec 2004 12:51:15 -0800 (PST) (envelope-from lists-freebsd@silverwraith.com) X-Authentication-Warning: keylime.silverwraith.com: avleen set sender to lists-freebsd@silverwraith.com using -f Date: Wed, 29 Dec 2004 12:51:15 -0800 From: Avleen Vig To: Julian Elischer , freebsd-security@freebsd.org Message-ID: <20041229205115.GO21044@silverwraith.com> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 20:51:14 -0000 > Julian Elischer writes: > > might be a good idea if we "urged" users to update their phpbb a bit > > more vocally. I was under the impression, that upgrading to PHP 4.3.10 would also fix this, or was that a different issue? -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only) From owner-freebsd-security@FreeBSD.ORG Wed Dec 29 22:23:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EB6A16A4DC for ; Wed, 29 Dec 2004 22:23:23 +0000 (GMT) Received: from sherryl.salk.edu (sherryl.snl.salk.edu [198.202.70.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F1AD43D1F for ; Wed, 29 Dec 2004 22:23:23 +0000 (GMT) (envelope-from cadams@salk.edu) Received: from salk.edu (malacarne.snl.salk.edu [198.202.70.215]) by sherryl.salk.edu (8.12.10/8.12.10) with SMTP id iBTMNMu3064947 for ; Wed, 29 Dec 2004 14:23:22 -0800 (PST) Received: (nullmailer pid 17004 invoked by uid 1179); Wed, 29 Dec 2004 22:23:22 -0000 Date: Wed, 29 Dec 2004 14:23:22 -0800 To: freebsd-security@freebsd.org Message-ID: <20041229222322.GA15584@salk.edu> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229205115.GO21044@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041229205115.GO21044@silverwraith.com> User-Agent: Mutt/1.5.6+20040907i From: Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 22:23:23 -0000 On Wed, Dec 29, 2004 at 12:51:15PM -0800, Avleen Vig wrote: > > Julian Elischer writes: > > > might be a good idea if we "urged" users to update their phpbb a bit > > > more vocally. > > I was under the impression, that upgrading to PHP 4.3.10 would also fix > this, or was that a different issue? There have been multiple issues being attacked: 4.3.10 fixes a problem where you could exploit code which accepted serialized data structures directly from clients; most of the prolems were caused, however, by a bug in phpBB which had nothing to do with this. In either case the problem has very little to do with PHP - it's yet another case of programmers not sanitizing input from untrusted sources. Chris From owner-freebsd-security@FreeBSD.ORG Thu Dec 30 09:14:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D2A016A4CE for ; Thu, 30 Dec 2004 09:14:41 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FBAD43D39 for ; Thu, 30 Dec 2004 09:14:38 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from red (host-14-37-230-24.midco.net [24.230.37.14]) iBU9JslJ021785 for ; Thu, 30 Dec 2004 02:19:54 -0700 (MST) (envelope-from estover@nativenerds.com) From: Ed Stover To: freebsd-security@freebsd.org In-Reply-To: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> Content-Type: text/plain Organization: Native Nerds Date: Thu, 30 Dec 2004 02:14:30 -0700 Message-Id: <1104398070.633.1.camel@red.nativenerds.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 09:14:41 -0000 Thanks for all the input guys and gals. didn't meant to start a flame war ;) On Mon, 2004-12-27 at 15:36 -0700, estover@nativenerds.com wrote: > I think, there is a neat exploit in the phpbb2.0.8 because I found my > home > page defaced one dark morning. The patch for phpBB is here. > http://www.phpbb.com/downloads.php > > The excerpt of the log is attached. > > I believe the link to the described exploit is here. > http://secunia.com/advisories/13239 > > The defacement braggen page is here filter to show the exploited > FreeBSD > machines that aneurysm.inc has defaced > http://www.zone-h.org/en/defacements/filter/filter_defacer=aneurysm.inc/filter_system=FreeBSD/page=1/ > From owner-freebsd-security@FreeBSD.ORG Thu Dec 30 14:01:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1759016A4CE for ; Thu, 30 Dec 2004 14:01:48 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 3D77143D31 for ; Thu, 30 Dec 2004 14:01:45 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 29524 invoked by uid 0); 30 Dec 2004 13:54:33 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.99.7) by mail.freebsd.org.cn with SMTP; 30 Dec 2004 13:54:33 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 6F0BC131F2E; Thu, 30 Dec 2004 22:01:38 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03808-12; Thu, 30 Dec 2004 22:01:25 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 1281B131D26; Thu, 30 Dec 2004 22:01:25 +0800 (CST) Date: Thu, 30 Dec 2004 22:01:25 +0800 From: Xin LI To: Josef El-Rayes Message-ID: <20041230140125.GA3982@frontfree.net> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229185332.GL24545@cowbert.net> <20041229193226.GA11252@daemon.li> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <20041229193226.GA11252@daemon.li> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.3-delphij FreeBSD 5.3-delphij #11: Tue Oct 26 14:12:03 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: "Peter C. Lai" cc: freebsd-security@freebsd.org cc: Julian Elischer cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 14:01:48 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 29, 2004 at 07:32:26PM +0000, Josef El-Rayes wrote: > "Peter C. Lai" : > > On Mon, Dec 27, 2004 at 06:18:30PM -0800, Julian Elischer wrote: > > > might be a good idea if we "urged" users to update their phpbb a bit= =20 > > > more vocally. > >=20 > > Or if someone had been vigilant enough to add a vuxml entry about it ba= ck > > in November. Waiting >30 days to update the database that portaudit uses > > is a bit longish, don't you think? The "urging" to which you refer is > > already one of the services provided by portaudit. >=20 > first of all, if you run a machine you care about, you should think > twice before installing a software which has a bad security track > as phpBB has. secondly, most of the time we do not know security > issue any earlier then they get posted to bugtraq or similiar > mailinglists, so why dont you track these lists yourself? I always have a headache with the phpBB installation for the FreeBSD China Community. I personally subscribe to phpBB's CVS commit message and patch immediately when they have committed something "interesting". I would admit that it's a bit late for the vuxml chunk to catch up with this. However, it's a good idea to catch up with every phpbb updates, as almost every updates is related to security issues during the last year[1]... [1] http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/phpbb/Makefile Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB1Ao0/cVsHxFZiIoRAo9KAJ4l/jz+aZed5rllIYwBOs0rnjfIoACdHn8X igey0AML7HacItJjITguHGo= =6yAE -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 30 14:28:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78C5516A4CE for ; Thu, 30 Dec 2004 14:28:21 +0000 (GMT) Received: from daemon.li (daemon.li [213.203.244.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id D65C943D1D for ; Thu, 30 Dec 2004 14:28:20 +0000 (GMT) (envelope-from josef@daemon.li) Received: from localhost (localhost [127.0.0.1]) (uid 1000) by daemon.li with local; Thu, 30 Dec 2004 14:28:20 +0000 Date: Thu, 30 Dec 2004 14:28:20 +0000 From: Josef El-Rayes To: Xin LI Message-ID: <20041230142820.GE16248@daemon.li> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <20041229185332.GL24545@cowbert.net> <20041229193226.GA11252@daemon.li> <20041230140125.GA3982@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=_daemon.li-17817-1104416900-0001-2" Content-Disposition: inline In-Reply-To: <20041230140125.GA3982@frontfree.net> User-Agent: Mutt/1.3.28i cc: "Peter C. Lai" cc: freebsd-security@freebsd.org cc: Julian Elischer cc: estover@nativenerds.com Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 14:28:21 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_daemon.li-17817-1104416900-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Xin LI : > I always have a headache with the phpBB installation for the FreeBSD > China Community. I personally subscribe to phpBB's CVS commit message > and patch immediately when they have committed something "interesting". >=20 > I would admit that it's a bit late for the vuxml chunk to catch up with > this. However, it's a good idea to catch up with every phpbb updates, > as almost every updates is related to security issues during the last > year[1]... >=20 > [1] http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/phpbb/Makefile it would be nice if maintainers/committers forward such security-related commits to secteam if they do not want to create a vuxml entry themselves. i dont feel like tracking mailinglists / cvs repositories of our 12000+ ports and i guess my secteam colleagues dont feel like this either. greets, josef --=20 Josef El-Rayes (__) Email: josef@daemon.li \\\'',)=20 Web: http://daemon.li/ \/ \ ^ FreeBSD Security Team .\._/_) --=_daemon.li-17817-1104416900-0001-2 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBQdQQg1nFItmnnbU8AQK5EggAs8F8N24MYrXjOb+Dxqm42XLC7h6QYo5U OrGtuPngVZNbwNw1+/GnIn86pevN8jBelYlnmsjsAXWqQa7mK1+rgD7OHBPnzZIG nSy47Vhxv5equx2Rpwmp8aFKQrkJxvV5CDbYljiUxSPsrKZFk+fvMRXUccawymiN 7lEESly5vCyTuHoTiXniKSxa79WuuyQhn4gXxdKJz6doA6igPg5CarB7KhFsP6Qn JDdCXOb7JwCeO8d7V4PG1BndlfRTmGFcVVX6RuCjo41LDW5zkD4i7kECBwS5PnMM PL+HL/2Fo9fwQB5LFoUmZfxwyT1DpjTH93FegjcNSGVRDSRwloetAg== =n8sW -----END PGP SIGNATURE----- --=_daemon.li-17817-1104416900-0001-2-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 30 16:08:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 102EB16A4CE for ; Thu, 30 Dec 2004 16:08:10 +0000 (GMT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB4D243D1F for ; Thu, 30 Dec 2004 16:08:09 +0000 (GMT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id 344A22BC2F for ; Thu, 30 Dec 2004 08:07:58 -0800 (PST) Date: Thu, 30 Dec 2004 08:07:58 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20041230120117.B8CBD16A4D7@hub.freebsd.org> References: <20041230120117.B8CBD16A4D7@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20041230160758.344A22BC2F@mx5.roble.com> Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2004 16:08:10 -0000 > Julian Elischer writes: > ...or we could urge them to stop using PHP at all. If only... but in favor of what, Perl? One nice thing about PHP is its similarity to Java/JSP. Learn one and you're part way to learning the other, and JSP really is a web technology the security community should be encouraging. > Kris Kennaway wrote: > Remember that FreeBSD is supported by the community, so you also could > have submitted the update but didn't. With all due respect to Kris and his excellent work, shooting the messenger is probably not the best way to encourage discussion of substantive issues. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Fri Dec 31 18:31:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7895B16A4CE for ; Fri, 31 Dec 2004 18:31:06 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9D2943D2F for ; Fri, 31 Dec 2004 18:31:05 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 44DEF54896 for ; Fri, 31 Dec 2004 12:31:05 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 41346-06 for ; Fri, 31 Dec 2004 12:30:54 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 19E1E54889 for ; Fri, 31 Dec 2004 12:30:54 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id C3D8E51CF7D; Fri, 31 Dec 2004 12:30:51 -0600 (CST) Date: Fri, 31 Dec 2004 12:30:51 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20041231183051.GA1615@lum.celabo.org> Mail-Followup-To: security-team@FreeBSD.org, freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: security-team@FreeBSD.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Dec 2004 18:31:06 -0000 --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at . FreeBSD 5.2.1 has `expired' and is no longer supported effective January 1, 2005. Also note that FreeBSD 4.9 ceased to be supported on November 1, 2004, while FreeBSD 4.8 will continue to be supported until March 31, 2005. If you are running FreeBSD 4.9, it is recommended that you upgrade to FreeBSD 4.10 or to the soon-to-be-released FreeBSD 4.11. If you are running FreeBSD 5.2.1, it is recommended that you upgrade to FreeBSD 5.3. [Excerpt from http://www.freebsd.org/security/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 4.x to 5.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_4. The corresponding builds have names like FreeBSD 4.10-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_4_10. The corresponding builds have names like FreeBSD 4.10-RELEASE-p5. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from the -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release. Extended Selected releases will be supported by the Security Officer for a minimum of 24 months after the release. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +-------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+----------------+----------------| |RELENG_4 |n/a |n/a |n/a |January 31,2007 | |-----------+------------+--------+----------------+----------------| |RELENG_4_8 |4.8-RELEASE |Extended|April 3, 2003 |March 31, 2005 | |-----------+------------+--------+----------------+----------------| |RELENG_4_10|4.10-RELEASE|Extended|May 27, 2004 |May 31, 2006 | |-----------+------------+--------+----------------+----------------| |RELENG_5 |n/a |n/a |n/a |October 31, 2006| |-----------+------------+--------+----------------+----------------| |RELENG_5_3 |5.3-RELEASE |Extended|November 6, 2004|October 31, 2006| +-------------------------------------------------------------------+ Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. [End excerpt] Cheers, --=20 Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) iD8DBQFB1ZrbFdaIBMps37IRAlA9AJ9XY69s/D15isX9FQTKuSF7byeA1wCeMxJm eNybXG5WM1MgWMbwCyGMvh4= =B3r7 -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N--