[Lazarus] Lazarus Forum seems to be hacked!

waldo kitty wkitty42 at windstream.net
Thu Jan 28 23:17:59 CET 2010

On 1/28/2010 02:55, Matt Shaffer wrote:
> Right, but what I meant was if someone manages to upload their own PHP
> file to the lazarus server, they can easily have uploaded a PHP file
> manager which has the capability of deleting files, etc, without ever
> needing ssh/ftp (this assumes the attack was done through a vulnerable
> piece of software, that had write permissions, etc.)
> I don't think this scenario is extremely likely.

what is there to upload? all it takes is a var that is not properly sanitized 
that references a shell script on another site which then executes in the 
context of the server with the bad code... this is all too common an occurrence 
as my IDS shows on my practically invisible site... this isn't sql injection or 
anything like that but simply stuffing a POST or GET var with something like 
"hxxp://bad.domain.tld/shell_script" and having the code actually get it and 
execute it...

proper sanitizing of ALL vars, whether user input or "hidden" must be done in 
any web application to ensure that what is being received is valid for the 

More information about the Lazarus mailing list