[AWFFULL] Regarding the fixes in 3.7.2
steve at stedee.id.au
Wed Jan 24 10:02:47 EST 2007
I've been privately contacted by individuals claiming to work for a
security research company about the patches to AWFFull v3.7.2.
It's entirely possible that the emails are legit, but they sure read like
a phishing attempt. And I *really* don't appreciate being threatened. It
was along the lines of "Do what we want or else...".
Maybe I'm just being overly cautious and/or paranoid. :-)
There were just too many things that smelt and felt wrong for the emails
to legit. Mind you: "Never ascribe to malice, that which ignorance or
stupidity will explain" may be at work here too. ;-)
In any event, In My Professional Opinion, the overflows etc in AWFFull are
*NOT* exploitable by a malicious external entity. If I felt they were, I
would have marked the fix as such and let you all know.
To trigger the overflows, you would require access to be able to modify
the config &/or language files themselves.
And if someone has that level of access to your server? Well you're pretty
screwed anyway. :-)
In any event, I would strongly urge everyone:
Do Not Run Awffull Under A Privileged Account!
Or any other log analyser for that matter. :-)
There are no special needs that awffull requires (another good reason for
having the dns stuff out), and should only have write access to a small
portion of an entire server.
More information about the AWFFull