Preservation of system state considered harmful

Rick Moen rick@linuxmafia.com
Wed, 2 Feb 2005 12:19:17 -0800


(linuxmafia.com had 22 hours of downtime, on account of being my sloppy,
but lost no data; cost me a few hours' recovery work.)

IRC log:


11:57 < redrick> Reason my rants page now malfunctions probably points directly 
                 to the method of breakin:
11:57 < redrick> Old site had PHP register_globals = On.
11:58 < redrick> Illustrates an interesting Debian pitfall:  It's easy to 
                 forget, as you upgrade packages, that /etc/* contains fossil 
                 configuration that may be a liability, security or otherwise.
11:59 < redrick> PHP devels had a big fight over register_globals, and changed 
                 the default as of PHP 4.2, even though it was expected to 
                 break lots of extant code.  But my site didn't get the new 
                 /etc/php4/apache/php.ini config, because I was preserving 
                 machine state during upgrades.
12:01 < redrick> So, my site's scripts didn't break, but I accidentally carried 
                 forward a huge, gaping security hole, until (probably) it bit 
                 me.
12:04 < redrick> Explanation of the problem:  
                 http://www.securereality.com.au/archives/studyinscarlet.txt
12:10 < redrick> Essentially, attacker can inject arbitrary PHP code, with 
                 tediously familiar results.
12:11 < redrick> Remedial reading for PHPers hooked on register_globals = On:  
                 http://www.zend.com/zend/art/art-oertli.php