[Lazarus] Lazarus Forum seems to be hacked!
waldo kitty
wkitty42 at windstream.net
Thu Jan 28 23:17:59 CET 2010
On 1/28/2010 02:55, Matt Shaffer wrote:
> Right, but what I meant was if someone manages to upload their own PHP
> file to the lazarus server, they can easily have uploaded a PHP file
> manager which has the capability of deleting files, etc, without ever
> needing ssh/ftp (this assumes the attack was done through a vulnerable
> piece of software, that had write permissions, etc.)
>
> I don't think this scenario is extremely likely.
what is there to upload? all it takes is a var that is not properly sanitized
that references a shell script on another site which then executes in the
context of the server with the bad code... this is all too common an occurrence
as my IDS shows on my practically invisible site... this isn't sql injection or
anything like that but simply stuffing a POST or GET var with something like
"hxxp://bad.domain.tld/shell_script" and having the code actually get it and
execute it...
proper sanitizing of ALL vars, whether user input or "hidden" must be done in
any web application to ensure that what is being received is valid for the
application...
More information about the Lazarus
mailing list