Re: wiki.debian.org security breach URL's
On Sat, Jan 5, 2013 at 6:24 AM, Simon L. B. Nielsen wrote:
> Could you tell me which URL's you looked for in your logs to determine
> the moinmoin security issues were exploited?
>
> FreeBSD.org is also running moinmoin, so I need to determine if it has
> been compromised, and would be simpler if I don't have to find out how
> the draw extensions work :-).
If you have a moinexec.py file in your plugin directories, your server
has probably been compromised.
This is what the initial backdoor injection looks like:
GET /?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py
POST /?action=twikidraw&do=save&ticket=<snip>&target=../../../plugin/action/moinexec.py
HTTP/1.1
This is what using the backdoor looks like:
GET /?action=moinexec&c=uname%20-ar
We got caught out by this because the plugin directories were
modifiable by the moin WSGI processes. We've now fixed this by having
these directories owned by a different user and moin running as a less
privileged user. Other wikis have been hit by this too, so you might
want to check the permissions on the plugins directory.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: