[ale] Linux Ransom-ware
Alex Carver
agcarver+ale at acarver.net
Mon Nov 9 11:37:14 EST 2015
On 2015-11-09 08:24, James Sumners wrote:
> On Monday, November 9, 2015, Alan Hightower <alan at alanlee.org> wrote:
>
>>
>>
>>
>>
>> But unless you highly partition your content in jails under Apache, I
>> suppose the ransomware could attack anything apache has write privileged to
>> modify. I don't leave static content owned by apache.apache. However
>> there are some dynamic content directories that are. SQL connections could
>> also be vulnerable. I suppose the same sound principles that apply toward
>> generally securing a web server would apply to protecting data against
>> ransomware risk.
>>
>> -Alan
>>
> Indeed. This is why systems need to be continually patched; not just every
> quarter or some other ridiculousness. Especially if you're exposing
> yourself via systems that are known to be poorly "designed" like PHP.
Eh, you can do dumb things with any language, it's not directly PHP's
fault, it's the fault of the plugin writer that failed to take safety
into account. If the plugin were written in something else it would
still have an issue.
I could just as easily do something hideously dumb with the most basic
bash CGI script as I could with a PHP script, a Python script, a Ruby
script, a Lua script or just about anything else.
I mean, I could do something like this (leaving out the overhead of
parsing the GET):
ls -l ${GET[0]}
And that obviously leaves me open to supplying a query string like this
(not urlencoded for clarity):
index.html?param=.;rm -rf /
So is bash bad? No, it did what I told it to do. Input sanitizing has
to happen no matter what the language.
More information about the Ale
mailing list