what www perl script is running?
Colin Brace
cb at lim.nl
Wed Aug 26 08:30:15 UTC 2009
Steve Bertrand said the following on 08/26/2009 01:33 AM:
> In this case, OP, look for:
>
> - directories named as such:
> -- ...
> -- . ..
> -- . .
> -- etc, particularly under:
> -- /var/tmp
> -- /tmp
> -- or anywhere else the [gu]id of the webserver could possibly write to
>
Thanks for the comments, Steve. This has indeed been the case here:
there was a bunch of files installed by user 'www' (the webserver) in a
directory called ".," in /tmp ; the script itself was in /tmp
Someone has suggested to me that the vulnerability might have been in
the RoundCube webmail package which I had installed:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413
"Cross-site scripting (XSS) vulnerability in RoundCube Webmail
(roundcubemail) 0.2 stable allows remote attackers to inject arbitrary
web script or HTML via the background attribute embedded in an HTML
e-mail message."
--
Colin Brace
Amsterdam
http://www.lim.nl
More information about the freebsd-questions
mailing list