Hello Jim,

As stated in bug #491200 I'm packaging the latest version of webalizer
but I didn't get it uploaded yet.

On Mon, Apr 18, 2011 at 02:05:27PM -0400, Jim Salter wrote:
> Package: webalizer
> Followup-For: Bug #622897
> 
> 
> Moritz, I believe that the initial attack was through webalizer because 
> the path /var/www/.webalizer contained php injections which gave the 
                    ^-- with a dot
> attackers their initial shell, which was first used to host a phishing 
> form which was also under /var/www/webalizer - whereas the production 
                                     ^-- or no dot ?
> site on the host was under /[redacted]/[redacted], under which no files 
> were added, removed, or modified.
> 
The /var/www/webalizer directory is filled by webalizer, however,
webalizer is not a webapp written in php so I don't see how php could
compromise webalizer.

> I'm not sure what you mean by "recent years"; but my own research showed 
> a widely-exploited security bug in Webalizer in 2009 which I sincerely 
> hope was either fixed by the upstream maintainers, or at least patched 
> in Debian's repos.  If it's that bug... well, dear lord, please let's 
> get that patched, it's been two years already? =)
> 
> Ref: 
> http://news.softpedia.com/news/Webalizer-Bug-Possibly-Leading-to-Mass-Web-Compromise-119983.shtml
Your reference does not really explain the exploit, following the link
on "warns" [1] I ended up on [2] witch dates back to 2002 (not 2009).

 1:
 
http://threatcenter.blogspot.com/2009/08/mass-compromise-of-sites-with-webalizer.html
 2: http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html

Looking in webalizer changelog:
| 2.01-xx changes from 1.30-04
| [...]
|  o Fix posible obscure buffer overflow bug in DNS resolver code

That could be the fix for the 2002 bug, however lenny's webalizer
version is 2.01.10-32.4 so it uses webalizer 2.01-10 which already
include this fix.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=143019

To get it patched, I guess we need a little more information on how
exactly you got attacked. Unless you had a pretty old version, it's not
the same bug.
Also did you have the reverse dns feature enabled (in the webalizer
configuration that outputs to /var/www/webalizer) ? As it's off by
default.

> 
> ... or at LEAST let's fix the installation process so that it doesn't 
> silently expose itself on the default site.

Well once I'll got the version uploaded with the latest upstream code, I
plan to look at the configuration parts, so I'll look at that too.

> 
> I still use webalizer on some very high-traffic sites because I don't 
> know of any other packages which can scale linearly to handle VERY high 
> levels of traffic - one client of mine generates about 40G of Apache 
> logs per day on app servers alone; webalizer's the only thing I know of 
> that can handle that volume.

So help us identify that bug ! :)

Best Regards,

Julien VdG

-- 
Julien Viard de Galbert                        <[email protected]>
http://silicone.homelinux.org/           <[email protected]>
GPG Key ID: D00E52B6                  Published on: hkp://keys.gnupg.net
Key Fingerprint: E312 A31D BEC3 74CC C49E  6D69 8B30 6538 D00E 52B6

Attachment: signature.asc
Description: Digital signature

Reply via email to