The crackers before Christmas

I don’t know why exactly, maybe it’s because some system administrators go on holiday, or maybe it’s because evil students (understand young crackers) are on holiday themselves, but the festive season is always a time when we have more attempted security attacks on our servers.

Oh, by the way, hackers are just people looking into the code to change it, they’re not evil. Crackers are people getting onto other’s systems and trying to misuse it. They’re evil.

This week, two security problems were reported “in” Dokeos [1] [2]. We finally realized that number one was a very old Dokeos installation where the recommended configuration settings (magic_quotes on) had been ignored, making the system vulnerable to SQL injection, and that the second one was also due to some kind of weird feature added to the default web server config to allow the uncompression and execution of an uploaded rar file.

Yeah, that’s right… Dokeos doesn’t handle rar files uncompressing, so basically you have to send a .rar file containing PHP files on web server, and if you’re lucky enough that the system administrators of that server are completely missing the point of security, *then* you can execute the contents of the .rar file by calling it from a web browser.

No need to say that we don’t have that *special feature* activated at Dokeos’ company, so our customers are safe regarding this one.

Related Posts

Extensible user data fields

During the 3 coming days, I will be developing a feature for Dokeos...

Better files filtering in Dokeos 1.8.5

It’s already in the code for Dokeos 1.8.5 since 2 weeks ago: files...