Показать сообщение отдельно
Старый 06.06.2013, 10:14   #4
d0znpp
 
Аватар для d0znpp
 
Регистрация: 09.09.2010
Сообщений: 484
Репутация: 252
По умолчанию

это выглядит как фейк
особенно странно, что ничего про версии не пишут, как понимаю, сейчас на nginx все вообще)

Ключ тут:
Цитата:
If the server in question runs an OS where php executes as a cgi by
default instead of as an apache module, AND either the OS vendor has not
released a patched php-cgi for cve-2012-1823 or the server owner is not up
to date on their patches
Кто потестит - отпишите, у меня по нулям все пока

http://seclists.org/fulldisclosure/2013/Jun/25
Цитата:
I know my situation was very weird, so I'm just theorizing now, but I'm
kind of thinking at this point that perhaps the exploit only works in the
following specific situations:

1) If the server in question runs an OS where php executes as a cgi by
default instead of as an apache module, AND either the OS vendor has not
released a patched php-cgi for cve-2012-1823 or the server owner is not up
to date on their patches. My example of just copying the OS php-cgi over
top of the one that had been in use on the single instance resolved it, so
that's what lead me to that conclusion. I do not know which
Plesk-supported OS's run php as a cgi by default.

2) If the server in question runs Plesk 9, AND the server admin or site
owner has set php to run as a cgi, AND the php-cgi has not been patched for
cve-2012-1823.

In CentOS/RHEL, if you install httpd and mod_php, the default config is to
run it as an apache module and this exploit did not work in those
situations; same with Plesk 9. I also attempted to set php to run as a cgi
on a few sites on Plesk 9 on CentOS 5 and the exploit did not work, but all
of the CentOS 5 servers I have access to have their php rpm up to date
which means it is patched for cve-2012-1823. CentOS 4 was never php 5 so
it was not vulnerable to cve-2012-1823 to begin with and Plesk 8 and Plesk
9 on that platform don't seem to be vulnerable.

If someone has an out of date copy of CentOS 5 running Plesk 9, it would be
interesting to set a site to run php as a cgi and then hit it with the
script to see if the exploit works. If it does, then it's the
cve-2012-1823 issue and just unpatched servers causing the problem, but
only when the exploit hits a website that has php set to run as a cgi, or
the OS runs it as a cgi by default (don't know which ones do that).
__________________
The Sucks Origin Policy

Последний раз редактировалось d0znpp; 06.06.2013 в 10:22..
d0znpp вне форума   Ответить с цитированием