chizumatic.mee.nu

May 23, 2008

Exploit?

Here's a curious request I just noticed in my refers:

http://denbeste.nu/join.html?jpage=../../../../../../../../../../../../etc/passwd

I wonder what software or package that's an exploit for? There was only that one attempt, not a series with different numbers of "move up" entries in the path.

Didn't do them any good; there is no "join.html" file in my root directory, so they got my 404 page.

There were two such requests in succession, one from an IP in Beijing and one from Bangkok. (You know? Sometimes I think seriously about blocking 202.*.*.* in my firewall.)

Posted by: Steven Den Beste in Site Stuff at 12:17 AM | Comments (3) | Add Comment
Post contains 90 words, total size 1 kb.

1 One of the nice things about Minx is that the standard exploits just don't work. (Had to nuke a couple of orphan PHP apps on the mu.nu server yesterday...)

Posted by: Pixy Misa at May 23, 2008 06:24 AM (PiXy!)

2 My previous job was with a vulnerability scanner vendor.

I tried looking up exactly which one this is, but I couldn't figure it out rapidly. There are in fact so many directory traversal vulnerabilities that it's hard to narrow it down simply by the URL fragment.

Basically, every web server ever written, every forum program ever written in PHP, and nearly every web app ever written has this directory traversal error in it at one point or another. Very distressing.

(No criticism of mee.nu implied, I'm just making a broad, but quite true, statement. Python at least makes it easier to get right; if you never allow direct file access you have no problem, and if you do need to allow direct file access, using the path modules can help a lot.)

Posted by: Jeremy Bowers at May 23, 2008 07:10 AM (ird9G)

3 I had a directory traversal vulnerability in an early version of Minx, but realised it and did a thorough code review for that.

When I said "standard exploits" I was thinking of scripted exploits, and not the conceptual level. While I think Minx is pretty secure at the conceptual level, I certainly wouldn't claim it's invulnerable. (That would be rather tempting fate...)

Posted by: Pixy Misa at May 23, 2008 07:28 AM (PiXy!)

Hide Comments | Add Comment

Enclose all spoilers in spoiler tags:
[spoiler]your spoiler here[/spoiler]
Spoilers which are not properly tagged will be ruthlessly deleted on sight.
Also, I hate unsolicited suggestions and advice. (Even when you think you're being funny.)

At Chizumatic, we take pride in being incomplete, incorrect, inconsistent, and unfair. We do all of them deliberately.

How to put links in your comment

Comments are disabled. Post is locked.

6kb generated in CPU 0.014, elapsed 0.0254 seconds.
20 queries taking 0.0165 seconds, 20 records returned.
Powered by Minx 1.1.6c-pink.