Re: ANNOUNCE: Dinner tonight (5/8)

ziggy on Mon, 8 May 2000 18:06:15 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: ANNOUNCE: Dinner tonight (5/8)

From: ziggy@panix.com

To: phl@lists.pm.org

Subject: Re: ANNOUNCE: Dinner tonight (5/8)

Date: Mon, 8 May 2000 18:05:26 -0400 (EDT)

Reply-to: phl@lists.pm.org

Sender: owner-phl@lists.pm.org

> > >>>>> "SH" == Simply Hao <hao@netaxs.com> writes: > >> apache.org was hacked; here's how. > SH> So is that particular hole in Bugzilla fixed now? > > I believe it was a mysql ``feature''. > > Bugzilla came into play because the people who configured it (the > apache.org install), improperly configured mysql for bugzilla, > granting the bugzilla user permissions it didn't actually need. According to http://www.dataloss.net/papers/how.defaced.apache.org.txt, the crack was enabled due to configuration errors *alone*. - apache was configured to have ftproot == wwwroot - php3 was configured to execute passthrough commands (could have been done with a simple untainted Perl script using `` or system()) - mysql was running as root (it shouldn't have been) Z. **Majordomo list services provided by PANIX <URL:http://www.panix.com>** **To Unsubscribe, send "unsubscribe phl" to majordomo@lists.pm.org**

Follow-Ups:

Re: ANNOUNCE: Dinner tonight (5/8)
From: Nicolai Rosen <nick@netaxs.com>

References:

Re: ANNOUNCE: Dinner tonight (5/8)
From: rspier@speed.seas.upenn.edu (Robert Spier)

Prev by Date: Re: ANNOUNCE: Dinner tonight (5/8)

Next by Date: Re: ANNOUNCE: Dinner tonight (5/8)

Previous by thread: Re: ANNOUNCE: Dinner tonight (5/8)

Next by thread: Re: ANNOUNCE: Dinner tonight (5/8)

Index(es):

Date

Thread