The Wakaba and Kareha support thread, part 2 (1000)

479 Name: Anonymous : 2009-01-05 16:44 ID:Heaven [Del]

>>473

When I say default, I mean Wakaba's behavior when enabling non-prohibited filetypes in config.pl, such as MP3s. I'm pretty sure Wakaba is set up not to rename those after uncommenting the respective lines.

>>476

I am told by the server admin that it is actually a bug with the latest Apache (or perhaps mod_php), possibly affecting only Gentoo. I could not find a citation (beyond this anecdote) to support the claim, but this is seems to be a known issue. It does turn out that if ".php" is found anywhere in the filename, it is still executed by Apache. A PHP file can then be disguised as a 7zip file or MP3 file (e.g., nasty_hax.php.mp3), and be uploaded. If the extension is uncommented config.pl, it gets uploaded. If the server (or PHP interpreter) suffers from the issue, the attacker executes the malicious code and has fun. I have neither tested nor asked about this for other script types. Indeed, renaming files would technically render this exploit moot, but by default Wakaba does not do this with non-pictures. There are Wakaba boards out there that support non-picture uploading, and I have seen only one (Pooshlmer) that renames files.

>>477

Indeed, that is a wise suggestion. In fact, I've just chmod-ed the src/ directories myself.

...and then the pictures could not be accessed by anyone. I set permissions to 644, but no one could see the pictures unless the execute bits were set. I'll have to ask the admin about it myself, unless someone here has an idea.

At any rate, I just thought I'd share the (admittedly nontrivial) suggestion and post about this potential exploit for other people. It completely blindsided us. Having a layer of security at the board software level in case of a future server exploit sounds like the best solution, though I understand leaving it in the hands of the administration rather than adding feature bloat.

Kudos for the script.

This thread has been closed. You cannot post in this thread any longer.