[dokuwiki] Re: Strange attack on the wiki

  • From: Burton Rosenberg <burt@xxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Fri, 8 Sep 2006 22:30:58 -0400

The response to this was swift. But I think maybe more needs be done.

.htaccess is used in many directories (inc/lang, for instance), but not all.

Could all directories be so secured? (1) it is good security practice to lower your profile. expose only
what's needed and (2) do developer's have to thing through the consequences of exposing any
script in, say, inc/, to the web?

For instance:

[burt@sherman ~]$ curl http://wiki.cs.miami.edu/pages/lib/tpl/default/ main.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang=""
lang="" dir="">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><br />
<b>Fatal error</b>: Call to undefined function tpl_pagetitle() in <b>/exp/local/www/data/dokuwiki/lib/tpl/default/main.php</b> on line <b>21</b><br />
[burt@sherman ~]$

Ok, it died, but it did run. It's iffy. Here's some more experiments, to test vulnerability and the fix:

[burt@sherman ~]$ curl http://wiki.cs.miami.edu/pages/bin/indexer.php
#!/usr/local/bin/php
Searching pages... 17 pages found.

After securing bin with .htaccess:

[burt@sherman ~]$ curl http://wiki.cs.miami.edu/pages/bin/indexer.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pages/bin/indexer.php
on this server.</p>
</body></html>

On Sep 8, 2006, at 6:35 PM, Harry Fuecks wrote:

OK - have updated the wiki:install page with a "Step 2" on security
(http://wiki.splitbrain.org/wiki:install) which links across to the
wiki:security (http://wiki.splitbrain.org/wiki:security) page, where
I've add a note on the bin directory.

On 9/9/06, Harry Fuecks <hfuecks@xxxxxxxxx> wrote:
Probably the quickest and safest fix is simply to delete the bin
sub-directory. The scripts in there are meant for command line use and
(as far as I know) are not used by any other part of Dokuwiki - i.e.
deleting it shouldn't break you're wiki and if you don't know what
they're for, you don't need them.

Have to take my share of blame - dwpage.php is code I wrote - had
never occurred to me that someone would place it publically under
their document root, given it's a command line script meant for
administrators only, with shell access to the server. A check at the
start, using php_sapi_name() for the CLI sapi would have prevented
this.

On 9/8/06, Terence J. Grant <tjgrant@xxxxxxxxxxxx> wrote:
> Hi Oliver, et al... (perhaps Andi)
>
> I realize there is panic mode right now, so don't see this as any kind
> of immediate request...
>
> I am not (and I'm sure this is the case for others) horribly confident
> beyond the .htaccess fix on how exactly to change(or check) the
> register_argc_argv, and really the configuration of php safe_mode, php
> base_opendir and things of that nature.
>
> So if all of this is required, Oliver, if you or someone knowledgable
> could post a wiki:tip for this, it might help...
>
> This is just partially due to inexperience with apache as well as not
> being able to self host.
>
> And again I realize this is non-finalized; some things like this might
> not be necessary-- but if they are, please keep the above in mind.
>
> --
> --Terence J. Grant(tjgrant@xxxxxxxxxxxx)
> --
> DokuWiki mailing list - more info at
> http://wiki.splitbrain.org/wiki:mailinglist
>

--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts:

  1. Home
  2. dokuwiki
  3. Archive
  4. 09-2006