JFFS3 document / wiki [OT]

Jörn Engel joern at wohnheim.fh-wedel.de
Thu Jan 27 11:38:45 EST 2005


On Thu, 27 January 2005 16:10:38 +0000, Cam wrote:
> 
> >Plus, Wikis tend to be instant security problems.  The situation
> >appears to be so bad that anyone with average exploit knowledge can
> >read the sources and control some new machines within a rainy
> >afternoon. 
> 
> Can you back that statement up with an example please? I wasn't aware 
> that wikis were so dangerous! :)

Neither was I before attending last years ccc.
http://www.ccc.de/congress/2004/

Various bits of information on this were spread all over the place:
o Code examples of mysql - tons of buffer overflows.
o Code examples of php - same.
o Various hacks of machines based on either php or mysql
  vulnerabilities.
o Some specific problems with some wiki implementations.

Considering that most wikis use php, mysql or both, you can pretty
much get the idea.  I cannot point to specific vulnerabilities or
exploits, but the only thing stopping me from owning your wiki is my
lack of interest.  Cooking up something new is horribly simple.  So
you might want to move it somewhere, either to a dedicated machine or
to a vserver/chroot/jail.

And if you have too much time on your hands, security audits on php
and mysql wouldn't hurt.

Jörn

-- 
All art is but imitation of nature.
-- Lucius Annaeus Seneca




More information about the linux-mtd mailing list