Loading...
 
Development

Development


Worm "Santy.C" problem for TikiWiki?

posts: 7 Austria


I've a question about "Santy.C"

Santy.C is a worm attaking sites written in PHP.
A discription of the worm can be found here
Is this worm a security risk for TikiWiki too?

posts: 49 Uruguay
AFAIK that worm, more than target PHP, it targets phpbb, exploiting a php vulnerability, so that particular worm should not be a problem for TikiWiki, but, anyway, you should upgrade your php to prevent some manual exploit.
posts: 7 Austria

I think you're talking about Synty.A.
But there are two new , more aggressive versions!


posts: 2881 United Kingdom

It could be used against most PHP applications including TikiWiki and TikiPro

Damian santa


posts: 6 United States

Just to clarify.... based on the given info about the worm:
"It targets ANY .PHP page/script vulnerable to a remote file inclusion
(programming) flaw these vulnerabilities are independent from the PHP version, they result from common coding mistakes"

TW does, in fact, have these "common coding mistakes" in there by default?

Is there a certain string I can grep for to try and help commit some fixes?

Or, damian, do you mean that if a user took the codebase and added their own custom code/plugins, they can open themselves up to attack?

posts: 2881 United Kingdom

Im not sure on a specific string to grep for.

Any modifications made by a user could well open it up, I mean there is no-way we could ever protect against changes made by the user.

A concern is the amount of places which need to be open as Apache writable. And basically all compiled Smarty templates in templates_c are basically .php files. It might be interesting to also raise this with the Smarty dudes.

Damian
http://tikihost.net


Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting