ziggy on Mon, 8 May 2000 18:06:15 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: ANNOUNCE: Dinner tonight (5/8)


> 
> >>>>> "SH" == Simply Hao <hao@netaxs.com> writes:
> >> apache.org was hacked; here's how.
> SH> So is that particular hole in Bugzilla fixed now?
> 
> I believe it was a mysql ``feature''.
> 
> Bugzilla came into play because the people who configured it (the
> apache.org install), improperly configured mysql for bugzilla,
> granting the bugzilla user permissions it didn't actually need.

According to http://www.dataloss.net/papers/how.defaced.apache.org.txt,
the crack was enabled due to configuration errors *alone*.

- apache was configured to have ftproot == wwwroot
- php3 was configured to execute passthrough commands
  (could have been done with a simple untainted Perl script using `` or
   system())
- mysql was running as root (it shouldn't have been)

Z.

**Majordomo list services provided by PANIX <URL:http://www.panix.com>**
**To Unsubscribe, send "unsubscribe phl" to majordomo@lists.pm.org**