Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: SoundSailor on November 08, 2005, 08:10:08 PM

Title: Lupii worm - SME Vulnerable?
Post by: SoundSailor on November 08, 2005, 08:10:08 PM

Is the current stable version of SME (6.0.1-01) with updates from this site vulnerable to the lupii worm? See http://isc.sans.org/diary.php?date=2005-11-05 , http://isc.sans.org/diary.php?storyid=829 , and http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html . From what I can see a stock setup would not be vulnerable. The two vectors that look relevant (XML-RPC for PHP Remote Code Injection and AWStats) both are installed as add-ons and are not part of the base SME.

Title: Re: Lupii worm - SME Vulnerable?
Post by: gordonr on November 11, 2005, 07:30:22 AM

Quote from: "SoundSailor"

Is the current stable version of SME (6.0.1-01) with updates from this site vulnerable to the lupii worm? See http://isc.sans.org/diary.php?date=2005-11-05 , http://isc.sans.org/diary.php?storyid=829 , and http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html . From what I can see a stock setup would not be vulnerable. The two vectors that look relevant (XML-RPC for PHP Remote Code Injection and AWStats) both are installed as add-ons and are not part of the base SME.

No releases of the SME Server include the PHP XMLRPC library or awstats in the standard installs.

Systems with these additional packages installed should upgrade to safe versions as soon as possible.

Title: Re: Lupii worm - SME Vulnerable?
Post by: raem on November 28, 2005, 10:22:21 AM

For users of awstsats note that version 6.4 is not vulnerable, earlier versiosn are vulnerable.
See
http://www.securityfocus.com/bid/10950/info