[PLUG] libgd, php website hack, etc.

Ronald Chmara ronabop at gmail.com
Sun Mar 27 07:21:13 UTC 2011


On Sat, Mar 26, 2011 at 9:36 PM, Joe Shisei Niski
<joeniski at easystreet.net> wrote:
> On 03/26/2011 07:39 PM, Keith Lofstrom wrote:
>> PHP, the public
>> bathhouse orgy of programming languages
> that's the funniest (and most apt) description of PHP i've ever seen.
> Thanks for the laugh!

It made me laugh too, but since PHP is mostly written in C... what
does that make C?

The water of both bath houses and hospitals?

As far as GD being part of PHP now, if you want to help maintain it,
it's certainly possible to send in patches, but I tend towards
ImageMagick (and I have/had trunk commit rights to PHP).

WRT to "wiki.php.net" being down, as I understand it, it's much more
mundane (tech-wise) than it's being played up as. A brute force attack
(many months ago) got access to an account on the the PHP SVN trunk.
That exploited account was never used for more than minor testing in
the code, *however*, after the account password was changed, the
correlating account uname/pass wasn't changed across *all* PHP
properties... which meant that it was later used to pull all wiki
uname/pass combinations from the wiki, and gain access to the machine
running the wiki.

Which means that they're (the accounts) all exploitable via rainbow
tables attacks, if users used the same uname/pass across accounts.

In short: If somebody got your email password, and you were an admin
on *other* boxes, and you used the same password for all of the
accounts and services, things could get messy. Fast.

In a related note, I went to rubyonales in Bend last week, where one
of the speakers pointed at a total meltdown they were dealing with,
for very similar reasons.... they had a fail over system for hosted
sites, where any VM hosting sites that failed (for whatever reason)
failed back to a core, central, machine... Where apache ran as root.
So, the user web code ran as root. So.... their fail over system gave
their hosted users root.... On a box which shared root credentials
with all of their other boxes....

Yeah. You see where this is headed. A single failed site meant root
access to all sites, all machines.

After asking about the details on this "one too many times" to a tech
(nice guy, BTW, outside of this, best as I can tell) he got in my
face. Poor guy. Looks like a good company, but forcing a password
reset on hundreds, or thousands, of users must *really* suck.

-Bop



More information about the PLUG mailing list