From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15435 invoked by alias); 12 Jul 2004 16:23:41 -0000 Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: , Sender: overseers-owner@sources.redhat.com Received: (qmail 15426 invoked from network); 12 Jul 2004 16:23:40 -0000 Received: from unknown (HELO dberlin.org) (69.3.5.6) by sourceware.org with SMTP; 12 Jul 2004 16:23:40 -0000 Received: from [192.168.1.7] (account dberlin HELO [192.168.1.7]) by dberlin.org (CommuniGate Pro SMTP 4.2b6) with ESMTP-TLS id 7090061 for overseers@sources.redhat.com; Mon, 12 Jul 2004 12:23:39 -0400 Mime-Version: 1.0 (Apple Message framework v618) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: overseers@sources.redhat.com From: Daniel Berlin Subject: Security problem in package-cat.cgi (Sigh, damn russians) Date: Mon, 12 Jul 2004 16:23:00 -0000 X-SW-Source: 2004-q3/txt/msg00025.txt.bz2 Someone in the .ru domain used a package-cat.cgi script to remotely dump the bug database to a file and tried to download it, probably looking for passwords: | |-httpd | | `-package-cat.cgi /var/www/sourceware/htdocs/cygwin/cgi-bin2/package-cat.cgi | | `-sh -c mysqldump\040-uroot\040bugs\040>/tmp/session | | `-mysqldump -uroot bugs This dump file was about 400 meg. No clue if they got the whole thing. it's doubtful they were on a fast enough connection, or else they wouldn't have kept trying to redo it each time we deleted the file. Since the dump starts with the attachments database for bugzilla, which is a couple hundred meg, they probably just have a bunch of compressed, preprocessed source code that makes the compiler crash :). However, even if they did get passwords, Bugzilla passwords are crypt(3)'d using an 8 character random salt (let's here it for good coding!): # Generate the salt. We use an 8 character (48 bit) salt for maximum # security on systems whose crypt uses MD5. Systems with older # versions of crypt will just use the first two characters of the salt. my $salt = ''; for ( my $i=0 ; $i < 8 ; ++$i ) { $salt .= $saltchars[rand(64)]; } However, so that this doesn't happen again *anyway* I've added a local user password to the mysql database (it used to be anyone with shell access could access the db), and fche blackholed these lusers. Even so, i would strongly advise someone fix or remove the package-cat.cgi script so that this can't happen again. fgrep the logs for 194.226.227.5 for other things they tried to do. 194.226.227.5 - - [12/Jul/2004:15:56:14 +0000] "GET /cgi-bin2/package-cat.cgi?file=|ls%20-la%20../..| HTTP/1.0" 200 9023 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)" cygwin-combined_log:194.226.227.5 - - [12/Jul/2004:14:50:29 +0000] "GET /cgi-bin2/package-cat.cgi?file=../../../../../../../../../../etc/ passwd%00&grep=p HTTP/1 --Dan