Topic: Lupii worm - SME Vulnerable?

[SoundSailor]

Is the current stable version of SME (6.0.1-01) with updates from this site vulnerable to the lupii worm? See http://isc.sans.org/diary.php?date=2005-11-05 , http://isc.sans.org/diary.php?storyid=829 , and http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html . From what I can see a stock setup would not be vulnerable. The two vectors that look relevant (XML-RPC for PHP Remote Code Injection and AWStats) both are installed as add-ons and are not part of the base SME.

[gordonr]

Is the current stable version of SME (6.0.1-01) with updates from this site vulnerable to the lupii worm? See http://isc.sans.org/diary.php?date=2005-11-05 , http://isc.sans.org/diary.php?storyid=829 , and http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html . From what I can see a stock setup would not be vulnerable. The two vectors that look relevant (XML-RPC for PHP Remote Code Injection and AWStats) both are installed as add-ons and are not part of the base SME.

No releases of the SME Server include the PHP XMLRPC library or awstats in the standard installs.

Systems with these additional packages installed should upgrade to safe versions as soon as possible.

[raem]

For users of awstsats note that version 6.4 is not vulnerable, earlier versiosn are vulnerable.
See
http://www.securityfocus.com/bid/10950/info