Skip to content

phpMyAdmin 3.4.x 多个HTML注入漏洞

PMASA-2012-4

Announcement-ID: PMASA-2012-4

Date: 2012-08-16

Summary phpMyAdmin 3.4.11.1之前版本、3.5.2.2 之前版本在实现上存在多个HTML注入漏洞,攻击者可利用这些漏洞注入HTML和JS代码到受影响站点,导致窃取身份验证凭证并控制站点外观。

Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages.

Description

Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the ‘Empty the table (TRUNCATE)’ and ‘Delete the table (DROP)’ links 4) On the Triggers page of a database containing tables with a crafted name, when opening the ‘Add Trigger’ popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name.

Severity

We consider these vulnerabilities to be non critical.

Mitigation factor

These XSS can only be triggered when a table with a crafted name is already present, or if crafted data is already stored in a database table.

Affected Versions

Versions 3.4.x are affected, for issues #1 and #2. Versions 3.5.x are affected, for all issues.

Solution

Upgrade to phpMyAdmin 3.4.11.1 or 3.5.2.2 or newer or apply the patches listed below. http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php

下载最新phpmyadmin

Posted in 安全通告.

Tagged with , .

rev="post-1543" No comments

By C1G 2012/08/22

linux下为新硬盘创建lvm分区

DELL R410本来有两块146G的硬盘,再新增一块146G硬盘 现在硬盘便宜了,天猫价650,另需硬盘托架一个70大洋.

开启硬件检测后重启服务器

chkconfig haldaemon on chkconfig messagebus on #centos6 没有kudzu服务改用udev chkconfig kudzu on

认出了新硬盘/dev/sdc

fdisk -l

Disk /dev/sda: 146.8 GB, 146815733760 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 25 200781 83 Linux /dev/sda2 26 1069 8385930 82 Linux swap / Solaris /dev/sda3 1070 17849 134785350 8e Linux LVM Disk /dev/sdb: 146.8 GB, 146815733760 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 * 1 17849 143372061 8e Linux LVM Disk /dev/sdc: 146.8 GB, 146815737856 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk /dev/sdc doesn’t contain a valid partition table

查看现有pv

pvdisplay

— Physical volume — PV Name /dev/sdb1 VG Name VolGroup01 PV Size 136.73 GB / not usable 11.78 MB Allocatable yes (but full) PE Size (KByte) 32768 Total PE 4375 Free PE 0 Allocated PE 4375 PV UUID p2QSKt-hLuG-xGF5-Cj8t-9IxX-cKCf-hP7hIu — Physical volume — PV Name /dev/sda3 VG Name VolGroup00 PV Size 128.54 GB / not usable 10.32 MB Allocatable yes (but full) PE Size (KByte) 32768 Total PE 4113 Free PE 0 Allocated PE 4113 PV UUID wdCg83-8jEM-XQtP-gmuX-lYor-IpWn-Hve2mr

对新硬盘分区,lvm的id为8e

fdisk /dev/sdc

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won’t be recoverable. The number of cylinders for this disk is set to 17849. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Command (m for help): p Disk /dev/sdc: 146.8 GB, 146815737856 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-17849, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-17849, default 17849): Using default value 17849 Command (m for help): p Disk /dev/sdc: 146.8 GB, 146815737856 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdc1 1 17849 143372061 83 Linux Command (m for help): t Selected partition 1 Hex code (type L to list codes): 8e Changed system type of partition 1 to 8e (Linux LVM) Command (m for help): p Disk /dev/sdc: 146.8 GB, 146815737856 bytes 255 heads, 63 sectors/track, 17849 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdc1 1 17849 143372061 8e Linux LVM Command (m for help): w

创建pv

# pvcreate /dev/sdc1 Physical volume “/dev/sdc1” successfully created # pvdisplay — Physical volume — PV Name /dev/sdb1 VG Name VolGroup01 PV Size 136.73 GB / not usable 11.78 MB Allocatable yes (but full) PE Size (KByte) 32768 Total PE 4375 Free PE 0 Allocated PE 4375 PV UUID p2QSKt-hLuG-xGF5-Cj8t-9IxX-cKCf-hP7hIu — Physical volume — PV Name /dev/sda3 VG Name VolGroup00 PV Size 128.54 GB / not usable 10.32 MB Allocatable yes (but full) PE Size (KByte) 32768 Total PE 4113 Free PE 0 Allocated PE 4113 PV UUID wdCg83-8jEM-XQtP-gmuX-lYor-IpWn-Hve2mr “/dev/sdc1” is a new physical volume of “136.73 GB” — NEW Physical volume — PV Name /dev/sdc1 VG Name PV Size 136.73 GB Allocatable NO PE Size (KByte) 0 Total PE 0 Free PE 0 Allocated PE 0 PV UUID rifdUK-ACXa-hGlM-L5iD-UkZ5-p4It-pshfwd

创建vg

# vgcreate VolGroup02 /dev/sdc1 Volume group “VolGroup02” successfully created # vgdisplay — Volume group — VG Name VolGroup02 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 1 VG Access read/write VG Status resizable MAX LV 0 Cur LV 0 Open LV 0 Max PV 0 Cur PV 1 Act PV 1 VG Size 136.73 GB PE Size 4.00 MB Total PE 35002 Alloc PE / Size 0 / 0 Free PE / Size 35002 / 136.73 GB VG UUID YLvkVA-OZQJ-p3yZ-5fEg-4xmH-dXMF-6ZcqTY — Volume group — VG Name VolGroup01 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 2 VG Access read/write VG Status resizable MAX LV 0 Cur LV 1 Open LV 1 Max PV 0 Cur PV 1 Act PV 1 VG Size 136.72 GB PE Size 32.00 MB Total PE 4375 Alloc PE / Size 4375 / 136.72 GB Free PE / Size 0 / 0 VG UUID bTRPY7-sETF-7yrw-8Iaa-jgMp-msLb-VFf9Pv — Volume group — VG Name VolGroup00 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 2 Max PV 0 Cur PV 1 Act PV 1 VG Size 128.53 GB PE Size 32.00 MB Total PE 4113 Alloc PE / Size 4113 / 128.53 GB Free PE / Size 0 / 0 VG UUID dZu73K-djmf-Qqes-7Bl2-NcGr-12cx-2ygDPt

创建逻辑卷,分配全部空间

# lvcreate -l 100%FREE -n /dev/VolGroup02/LogVol00 VolGroup02 Logical volume “LogVol00” created # lvdisplay — Logical volume — LV Name /dev/VolGroup02/LogVol00 VG Name VolGroup02 LV UUID TThlLG-BUNw-smr9-Cv1d-cv8D-1V8i-cB0Hfa LV Write Access read/write LV Status available # open 0 LV Size 136.73 GB Current LE 35002 Segments 1 Allocation inherit Read ahead sectors auto – currently set to 256 Block device 253:3 — Logical volume — LV Name /dev/VolGroup01/LogVol00 VG Name VolGroup01 LV UUID 0JbGWl-ivcx-g4WL-JHY7-RcXc-hEM5-V3htC1 LV Write Access read/write LV Status available # open 1 LV Size 136.72 GB Current LE 4375 Segments 1 Allocation inherit Read ahead sectors auto – currently set to 256 Block device 253:2 — Logical volume — LV Name /dev/VolGroup00/LogVol01 VG Name VolGroup00 LV UUID cZ3Vnw-PMIx-LUNQ-N53R-etKc-s1BS-AmQE82 LV Write Access read/write LV Status available # open 1 LV Size 118.53 GB Current LE 3793 Segments 1 Allocation inherit Read ahead sectors auto – currently set to 256 Block device 253:0 — Logical volume — LV Name /dev/VolGroup00/LogVol00 VG Name VolGroup00 LV UUID R5fS7y-9649-kyZi-VFmn-24lh-ju2w-Uk7TzY LV Write Access read/write LV Status available # open 1 LV Size 10.00 GB Current LE 320 Segments 1 Allocation inherit Read ahead sectors auto – currently set to 256 Block device 253:1

格式化分区 linux的硬盘分区程序会自动为root或指定的用户保留一定的磁盘空间默认是5%,利用mke2fs的-m reserved-percentage选项可以调整这个设置来获得更多的磁盘空间且不影响性能。而在创建了文件系统之后,用户可以用tune2fs来修 改这个设置比如tune2fs -m 1 /dev/sdc1 可以将保留的空间设置为1% 1792102 blocks (5.00%) reserved for the super user

# mkfs -t ext3 /dev/VolGroup02/LogVol00 mke2fs 1.39 (29-May-2006) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 17924096 inodes, 35842048 blocks 1792102 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 1094 block groups 32768 blocks per group, 32768 fragments per group 16384 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 23 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.

挂载分区

# mkdir /data # mount /dev/VolGroup02/LogVol00 /data # df -h 文件系统 容量 已用 可用 已用% 挂载点 /dev/mapper/VolGroup00-LogVol01 115G 12G 98G 11% / /dev/mapper/VolGroup00-LogVol00 9.7G 152M 9.1G 2% /tmp /dev/mapper/VolGroup01-LogVol00 133G 35G 91G 28% /opt /dev/sda1 190M 13M 168M 7% /boot tmpfs 7.9G 92K 7.9G 1% /dev/shm /dev/mapper/VolGroup02-LogVol00 135G 188M 128G 1% /data

启动后自动挂载

vi /etc/fstab /dev/VolGroup02/LogVol00 /data ext3 defaults 1 2

测试写入

#cd /data #touch testfile

===================== 2012-12-14更新 释放Linux系统预留的硬盘空间,增加-m 1 可以增加空间

mkfs -t ext3 -m 1 /dev/VolGroup02/LogVol00

Posted in linux 维护优化.

Tagged with , , .

rev="post-1536" No comments

By C1G 2012/07/30

如何禁止npre连接日志输出到/var/log/message中

nrpe 会在messages中留下大量连接记录,影响日志阅读 我的nrpe以daemon方式运行

/opt/nagios/bin/nrpe -c /opt/nagios/etc/nrpe.cfg -d

tail /var/log/messages

Jul 19 14:04:22 C1gstudio sshd[20749]: Connection closed by 122.111.222.111 [preauth] Jul 19 14:09:22 C1gstudio sshd[21056]: Connection closed by 122.111.222.111 [preauth]

查看ssh当前的日志记录方式默认为 auth.info cat /etc/ssh/sshd_config

# Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO

修改ssh日志输出 vi /etc/syslog.conf

*.info;mail.none;authpriv.none;cron.none; /var/log/messages #在尾部添加!auth.info 不再将ssh记录输出到/var/log/messages *.info;mail.none;authpriv.none;cron.none;auth.!=info /var/log/messages #新增一行,将ssh日志输出到/var/log/sshd auth.* /var/log/sshd

重新载入syslog服务 /etc/init.d/syslog reload

查看修改后效果 tail -f /var/log/messages /var/log/sshd

ssh的连接日志会保存在/var/log/sshd中,nrpe本身的启动等日志还是在/var/log/messages中

2012-08-01更新============= /etc/syslog.conf中应为;auth.!=info不是;!auth.info 可以用logger测试 logger -p auth.info “hello”

Posted in Nagios, 技术, 日志.

Tagged with , , .

rev="post-1530" No comments

By C1G 2012/07/19

linux系统日志没有轮询引起入侵误报

logwatch报告中显示昨天有SSH账号登录并执行了一些维护命令,想想真奇怪这黑客具然上来维护系统.

查看了下最近并没有登录记录 tail -n100 /var/log/secure

注意到/var/log目录下日志文件很大,并且没有.x的轮询文件 ll /var/log

搜索日期确实有登录记录,原来日志中没有记录年份,因为日志没轮询把去年的登录记录当成是昨天的了 cat /var/log/secure |grep ‘Jul 16’

手动运行下logrotate /etc/cron.daily/logrotate 提示没有uucp这个用户,执行失败(uucp用户之前手功删了)

删除uucp日志后就能正常运行 rm /etc/logrotate.d/uucp

Posted in linux 维护优化, 日志.

Tagged with , .

rev="post-1528" No comments

By C1G 2012/07/17

如何快速解决linux只读系统 Read-only file system

io频繁的系统可能经常会出现分区不可写的情况,用fsck修复

1.查看有多少分区入格式 cat /etc/fstab /dev/VolGroup00/LogVol03 /opt ext3 defaults 1 2

2.在每个分区下测试能否写入 cd /opt touch x touch: cannot touch `x’: Read-only file system

3.手动修复/opt分区 fsck前分区要先卸载 umount /opt 遇到系统忙可以使用fuser fuser -mk /opt

以ext3格式修复 fsck -t ext3 /opt

再重新挂载分区就可以写入了 mount /opt

ps: 不修复直接以读写方式重新挂载分区 mount -o rw,remount /opt

系统重启时会自动执行fsck的操作

建议/var 目录单独分区

Posted in linux 维护优化.

Tagged with , .

rev="post-1526" No comments

By C1G 2012/07/17

Nagios XI跨站脚本执行和HTML注入漏洞

漏洞版本:

Nagios XI 2011R1.9 Nagios XI 漏洞描述:

Nagios是一款免费开放源代码的主机和服务监视软件,可使用在多种Linux和Unix操作系统下。

Nagios XI 2011R1.9在过滤用户提供的输入时存在安全漏洞,攻击者可利用此漏洞在受影响浏览器中执行HTML和脚本代码,窃取Cookie身份验证凭证或控制站点外观。

安全建议:

厂商补丁:

Nagios

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.nagios.org/

来源: http://sebug.net/vuldb/ssvid-60254

Posted in 安全通告.

Tagged with , .

rev="post-1523" No comments

By C1G 2012/07/05

WordPress 3.x 信息泄露及非法操作漏洞;discuz!x2.5发布R20120701更新补丁

WordPress WordPress 3.4.1之前版本在处理XMLRPC请求时对用户检查过程中存在错误,可导致信息泄露和非法编辑公告操作。 http://wordpress.org/news/2012/06/wordpress-3-4-1/




Discuz! X2.5 R20120701 更新记录

+======================================+ Discuz! X2.5 正式版 20120701 +======================================+ FIX 修改 JS响应的事件 FIX QQ群:缩小url长度 FIX 群组二级域名设置为空值时没有清空缓存表数据 ADD 添加个人空间域名最大长度为15的说明 ADD 处理分类信息添加分类信息标题

FIX 处理分类信息为array格式 FIX 用户组、版块的插件变量设置修复 ADD 增加手机客户端白名单版本号兼容程序 FIX 修正文章及日志里斜体字失效的问题 FIX x2.5分支对forumnav的管理员主题分类的过滤

FIX 中文无法注册的字符集问题 FIX x2.5分支对看帖分类信息的兼容 FIX 设置script标签src中返回内容的ContentType为text/javascript FIX 关联链接 PHP模式下兼容<script 标签 FIX 回复点评只显示1条

FIX 注册服务条款显示格式问题 FIX 主题查看数在开启缓存帖子时不定期自动重置为1的问题 FIX 关闭积分奖励时不显示提示 FIX 修正其他配色的快速发帖按钮问题 FIX 同库多论坛兼容性

FIX 语言包代码错误 FIX 分类信息编辑时选择框不显示问题 FIX 前台管理中已经审核通过文章,后台还是提示审核的问题 FIX 修复 没有选择频道发布文章时附件上传提示上传失败的问题 FIX 修正支付宝切换时,修改获取PID参数

FIX 分类信息主题 数值型不能显示0 FIX 修复QQ互联暴露匿名帖用户信息的问题 FIX 关于回帖后再次编辑出现回复标签不解析问题 FIX 修正 IE6 下自适应宽度的侧边问题 FIX DIY 某些情况下调取置顶帖或精华帖子失效的问题

FIX 修正DB改造成引统计错误 FIX 修正面包屑导航链接错误的BUG FIX 帖子阅读权限修改问题 FIX 后台审核删除帖子回收站里搜索不到 FIX 专题模块可使用字段说明文字错误

FIX 移动帖子时选择保留转向,手机版访问时出错 fix FIX 处理由存档表之类引起的数据不准造成分页可能存在问题的兼容处理 FIX 关于专题评论后的伪静态链接错误问题。

http://www.discuz.net/thread-2744369-1-1.html

Posted in 安全通告.

Tagged with , .

rev="post-1517" No comments

By C1G 2012/07/04

linux下如何查看网卡mac地址

正常情况下网卡已启用,可以用命令查看到

ifconfig -a ip addr show arp

网卡没启用时,通过网卡配置文件来查看

cat /etc/sysconfig/network-scripts/ifcfg-eth0

网卡配置文件没有正确生成时

cat /sys/class/net/eth0/address

双网卡绑定时查看mac

cat /proc/net/bonding/bond0

Posted in Linux 命令.

Tagged with , .

rev="post-1513" No comments

By C1G 2012/07/03

sourceforge 上如何使用shell

SourceForge.net,又称SF.net,是开源软件开发者进行开发管理的集中式场所,也是全球最大开源软件开发平台和仓库,提供cvs,svn,git.用下来比github.com爽很多.

首先注册SF账号,并开通一个项目。

创建shell权限

ssh -t USER,[email protected] create

登录shell

ssh [email protected]

PuTTY SSH client

Session Host Name: “shell.sourceforge.net” Session Connection Type: “SSH” Connection > SSH Remote command: “create” Connection > Data Auto-login username: “USER,PROJECT”

下次连接时去掉 Remote command和Auto-login username。

另支持SSH Key Authentication认证, rsync ,sftp

sf上用的系统为centos5.6

[c1g@shell-22002 ~]$ cat /etc/issue.net CentOS release 5.6 (Final) Kernel \r on an \m

项目对外下载目录,lempelf是我的项目名 /home/frs/project/lempelf/

ll /home/ total 40 drwxr-xr-x 3 root root 4096 Jun 20 06:37 frs drwxr-xr-x 3 root root 4096 Jun 20 06:37 git drwxr-xr-x 4 root root 4096 Jun 20 06:37 logs-project-web drwxr-xr-x 3 root root 4096 Jun 20 06:37 logs-user-web drwxr-xr-x 5 root root 4096 Jun 20 06:37 project-web drwxr-xr-x 6 root root 4096 Jun 20 06:37 scm_bzr drwxr-xr-x 6 root root 4096 Jun 20 06:37 scm_git drwxr-xr-x 6 root root 4096 Jun 20 06:37 scm_hg drwxr-xr-x 3 root root 4096 Jun 20 06:37 user-web drwxr-xr-x 3 root root 4096 Jun 20 06:37 users

需要发布大文件时可以直接下载后发布

cd /home/frs/project/lempelf/ wget http://xxx.com/lemelf.tar.gz

用scp直接传

scp lempelf.tar.gz [email protected]:/home/frs/project/lempelf/

参考: https://sourceforge.net/apps/trac/sourceforge/wiki/Shell%20service

Posted in 项目管理.

Tagged with , .

rev="post-1502" 2 comments

By C1G 2012/06/20

redhat使用centos yum源

cat /etc/issue.net

Red Hat Enterprise Linux Server release 5.4 (Tikanga) Kernel \r on an \m

#yum update Loaded plugins: rhnplugin, security This system is not registered with RHN. RHN support will be disabled.

1.卸载rhel的默认安装的yum包

查看yum包 rpm -qa|grep yum

卸载之 rpm -qa|grep yum|xargs rpm -e –nodeps

2.下载新的yum包 32位 mkdir yum cd yum wget http://centos.ustc.edu.cn/centos/5/os/i386/CentOS/yum-3.2.22-39.el5.centos.noarch.rpm wget http://centos.ustc.edu.cn/centos/5/os/i386/CentOS/yum-fastestmirror-1.1.16-21.el5.centos.noarch.rpm wget http://centos.ustc.edu.cn/centos/5/os/i386/CentOS/yum-metadata-parser-1.1.2-3.el5.centos.i386.rpm

安装 rpm -ivh yum-*

3.下载yum的配置源 cd /etc/yum.repos.d wget http://mirrors.163.com/.help/CentOS5-Base-163.repo yum makecache

Posted in LINUX.

Tagged with .

rev="post-1499" No comments

By C1G 2012/06/15