[Wolves] An ode to all those who spoke ill of PHP last night...
sparkes
sparkes at westmids.biz
Thu Dec 18 17:33:16 GMT 2003
On Thu, 2003-12-18 at 15:40, David Goodwin wrote:
> ah. well that's one good thing. I didn't expect the same scripts to be
> used on multiple seperate machines...
it was probably some homebrew cms with dodgy admin controls allowing
bogus users to add images , then fail to check that they are images,
then allow the user to change the permisions on the file and execute
it.
just the sort of run of the mill bug most web apps suffer from if you
look hard enough and combine multiple vunerbilities. It's not really
that surprising that they used the same codebase across multiple servers
I can thing of 10+ commercial sites right now running insecure forums or
e-commerce systems. If I paid more attention and looked I think this
kind of multicrack would be a piece of the proverbial to pull off.
osCommerce(several exploits), ezContent, WebartFactory, Aardvark
topsites, DUWare (whole product range!), Invision Power top site,
Invision Power Board, CGINews annnnnnndddd CGIForum are the web apps
that have bugs discovered since Monday. Why do we think that nasa write
better code? their failure rate on shuttles (where human life is at
risk) would be unacceptable for many control system software systems.
sparkes
More information about the Wolves
mailing list