[AWFFULL] Regarding the fixes in 3.7.2

Steve McInerney steve at stedee.id.au
Wed Jan 24 10:02:47 EST 2007


I've been privately contacted by individuals claiming to work for a
security research company about the patches to AWFFull v3.7.2.

It's entirely possible that the emails are legit, but they sure read like
a phishing attempt. And I *really* don't appreciate being threatened. It
was along the lines of "Do what we want or else...".

Maybe I'm just being overly cautious and/or paranoid. :-)

There were just too many things that smelt and felt wrong for the emails
to legit. Mind you: "Never ascribe to malice, that which ignorance or
stupidity will explain" may be at work here too. ;-)

In any event, In My Professional Opinion, the overflows etc in AWFFull are
*NOT* exploitable by a malicious external entity. If I felt they were, I
would have marked the fix as such and let you all know.
To trigger the overflows, you would require access to be able to modify
the config &/or language files themselves.
And if someone has that level of access to your server? Well you're pretty
screwed anyway. :-)

In any event, I would strongly urge everyone:
   Do Not Run Awffull Under A  Privileged Account!

Or any other log analyser for that matter. :-)

There are no special needs that awffull requires (another good reason for
having the dns stuff out), and should only have write access to a small
portion of an entire server.


- Steve

More information about the AWFFull mailing list