On Fri, Apr 15, 2011 at 12:29:42PM -0400, Jim Salter wrote:
> Package: webalizer
> Version: 2.01.10-32.4
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> A server I admin running Debian Lenny with the current version of
> webalizer installed was exploited through webalizer. Once the attackers
> had a shell, they used an unknown, presumably local, privilege
> escalation exploit to compromise several system binaries. The
> escalation happened later; the original attacker installed a phishing
> site within /var/www/.webalizer.
I just checked and there are no reports of Webalizer security issues
being fixed in the recent years. How did you pinpoint that the initial
attack was done through Webalizer?
If it can be nailed down to webalizer, it should be reported directly
to the webalizer upstream maintainers.
> I checked to make absolutely certain, and the version of webalizer
> running on the system WAS the most current in Lenny repos.
I agree with your later followup that the default installation of webalizer
should be more conservative.
webalizer looks fairly unmaintained anyway with the last maintainer upload
from 2007, it should be dropped from testing until it has seen some maintenance,
I just filed a removal bug from testing.
> It does not show as installed on the system currently, because I nuked
> it from orbit with great prejudice in the process of reclaiming my
> system from known good backups.
The Weyland-Yutani approach to security :-)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
