|
|
All your $_SERVER variables are belong to php-syslog-ng-2.9.7. |
|
Date: 01 April 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9052 G'day Folks, One of our Members who wishes to remain anonymous has informed us about an issue that they found with php-syslog-ng-2.9.7. The current maintainer of this application has included a function in this version which (if not turned off prior to installation) will send a number of details off to the following email address: cdukes@cdukes.comThe details sent off include:
... And a few other things (see the content further down for a full listing). In the default configuration - this will be performed with no notification to the user during the installation process with no indication that it ever occurred. At best this kind of programming is thoughtless and impolite, at worst it may constitute information gathering with malicious intent. So we'd recommend that if you're using and about to upgrade, or are installing this software, consider: Removing: install_dir/html/includes/callhome.php And killing the following lines: html/index.php: include_once 'includes/callhome.php'; html/config/config.php.dist: define ('CALLHOME', TRUE); And this chunk from the file upgrades/2.9.6_to_2.9.7.patch: +//------------------------------------------------------------------------ +// CDUKES - Call home feature so I can see how many people are using this +// Feel free to disable this if you're overly paranoid (or don't have net access) +//------------------------------------------------------------------------ +define ('CALLHOME', TRUE); +?> diff -Nur -Nur html/includes/callhome.php html.2.9.7/includes/callhome.php --- html/includes/callhome.php 1969-12-31 19:00:00.000000000 -0500 +++ html.2.9.7/includes/callhome.php 2008-03-02 19:01:07.000000000 -0500 @@ -0,0 +1,46 @@ + +/* + * callhome.php + * + * Developed by Clayton Dukes + * Copyright (c) 2008 http://www.gdd.net + * Licensed under terms of GNU General Public License. + * All rights reserved. + * + * Changelog: + * 2008-03-02 - created + * A simple script to help me get an idea of how many folks are using this tool + * feel free to disable it in config.php if you like :) + * + */ + +/* $Platon$ */ + +$filename = ".callhome"; +if (!file_exists($filename)) { + if(defined('CALLHOME') && CALLHOME == TRUE) { + // This is a best-effort attempt to send me an email, it kinda depends on + // whether or not you have the ability to do so from your server :-) + $message = "User Call home data for Php-Syslog-NG\n"; + $message = "HOST: " .$_SERVER["HTTP_HOST"] ."\n"; + $message .= "U_AGENT: " .$_SERVER["HTTP_USER_AGENT"] ."\n"; + $message .= "S_SIG: " .$_SERVER["SERVER_SIGNATURE"] ."\n"; + $message .= "S_SFT: " .$_SERVER["SERVER_SOFTWARE"] ."\n"; + $message .= "S_NAME: " .$_SERVER["SERVER_NAME"] ."\n"; + $message .= "S_ADDR: " .$_SERVER["SERVER_ADDR"] ."\n"; + $to = 'cdukes@cdukes.com'; + $subject = 'Php-syslog-ng Callhome'; + $from = $_SERVER["SERVER_ADMIN"] . "@" .$_SERVER["HTTP_HOST"]; + $headers = "From: $from" . "\r\n" . + "Reply-To: $from" . "\r\n" . + 'X-Mailer: PHP/' . phpversion(); + mail($to, $subject, $message, $headers); + + // Now write a "tickle" file so we don't call home more than once + $Content = "Tickle file to suppress subsequent calls home, it's safe to delete this file, but you may also want to set CALLHOME to FALSE in your config.php\r\n"; + $handle = fopen($filename, 'x+'); + fwrite($handle, $Content); + fclose($handle); + } +} +?> Before performing the installation. I don't think I've missed anything, but you'll probably want to eyeball it anyway just to be safe. Some people have funny revision control systems. Oh and don't forget to document the changes ;) Thanks again to our anonymous reporter, I'll leave you with that for tonight. Stay Secure. MacLeonard |