Re: ANNOUNCE: Dinner tonight (5/8)

Nicolai Rosen on Mon, 8 May 2000 18:09:37 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: ANNOUNCE: Dinner tonight (5/8)

From: Nicolai Rosen <nick@netaxs.com>

To: phl@lists.pm.org

Subject: Re: ANNOUNCE: Dinner tonight (5/8)

Date: Mon, 8 May 2000 18:09:18 -0400 (EDT)

Reply-to: phl@lists.pm.org

Sender: owner-phl@lists.pm.org

On Mon, 8 May 2000 ziggy@panix.com wrote: > > > > >>>>> "SH" == Simply Hao <hao@netaxs.com> writes: > > >> apache.org was hacked; here's how. > > SH> So is that particular hole in Bugzilla fixed now? > > > > I believe it was a mysql ``feature''. > > > > Bugzilla came into play because the people who configured it (the > > apache.org install), improperly configured mysql for bugzilla, > > granting the bugzilla user permissions it didn't actually need. > > According to http://www.dataloss.net/papers/how.defaced.apache.org.txt, > the crack was enabled due to configuration errors *alone*. > > - apache was configured to have ftproot == wwwroot > - php3 was configured to execute passthrough commands > (could have been done with a simple untainted Perl script using `` or > system()) > - mysql was running as root (it shouldn't have been) > > Z. Although, I've gotta say that it's pretty moronic to make a program that stores the master password in plain text. Nicolai Rosen nick@netaxs.com Earthstation/Netaxs http://laktar.dyndns.org/ http://www.netaxs.com/~nick/ **Majordomo list services provided by PANIX <URL:http://www.panix.com>** **To Unsubscribe, send "unsubscribe phl" to majordomo@lists.pm.org**

References:

Re: ANNOUNCE: Dinner tonight (5/8)
From: ziggy@panix.com

Prev by Date: Re: ANNOUNCE: Dinner tonight (5/8)

Next by Date: Calendar for the next few months.

Previous by thread: Re: ANNOUNCE: Dinner tonight (5/8)

Next by thread: Calendar for the next few months.

Index(es):

Date

Thread