copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

All your $_SERVER variables are belong to php-syslog-ng-2.9.7.

Date: 01 April 2008

Click here for printable version
G'day Folks,


One of our Members who wishes to remain anonymous has informed us about an issue
that they found with php-syslog-ng-2.9.7.

The current maintainer of this application has included a function in this version which (if
not turned off prior to installation) will send a number of details off to the following
email address:
  cdukes@cdukes.com
The details sent off include:

  • The server name and version
  • Server Software version
  • Server address IP or URL
  • ServerAdmin directive from the your httpd.conf

... And a few other things (see the content further down for a full listing).

In the default configuration - this will be performed with no notification to the user during
the installation process with no indication that it ever occurred.

At best this kind of programming is thoughtless and impolite, at worst it may constitute
information gathering with malicious intent.

So we'd recommend that if you're using and about to upgrade, or are installing this
software, consider:

Removing:

install_dir/html/includes/callhome.php

And killing the following lines:

html/index.php: include_once 'includes/callhome.php';
html/config/config.php.dist: define ('CALLHOME', TRUE);


And this chunk from the file upgrades/2.9.6_to_2.9.7.patch:


+//------------------------------------------------------------------------
+// CDUKES - Call home feature so I can see how many people are using this
+// Feel free to disable this if you're overly paranoid (or don't have net access)
+//------------------------------------------------------------------------
+define ('CALLHOME', TRUE);
+?>
diff -Nur -Nur html/includes/callhome.php html.2.9.7/includes/callhome.php
--- html/includes/callhome.php 1969-12-31 19:00:00.000000000 -0500
+++ html.2.9.7/includes/callhome.php 2008-03-02 19:01:07.000000000 -0500
@@ -0,0 +1,46 @@
+ +/*
+ * callhome.php
+ *
+ * Developed by Clayton Dukes
+ * Copyright (c) 2008 http://www.gdd.net
+ * Licensed under terms of GNU General Public License.
+ * All rights reserved.
+ *
+ * Changelog:
+ * 2008-03-02 - created
+ * A simple script to help me get an idea of how many folks are using this tool
+ * feel free to disable it in config.php if you like :)
+ *
+ */
+

+/* $Platon$ */
+
+$filename = ".callhome";
+if (!file_exists($filename)) {
+ if(defined('CALLHOME') && CALLHOME == TRUE) {
+ // This is a best-effort attempt to send me an email, it kinda depends on
+ // whether or not you have the ability to do so from your server :-)
+ $message = "User Call home data for Php-Syslog-NG\n";
+ $message = "HOST: " .$_SERVER["HTTP_HOST"] ."\n";
+ $message .= "U_AGENT: " .$_SERVER["HTTP_USER_AGENT"] ."\n";
+ $message .= "S_SIG: " .$_SERVER["SERVER_SIGNATURE"] ."\n";
+ $message .= "S_SFT: " .$_SERVER["SERVER_SOFTWARE"] ."\n";
+ $message .= "S_NAME: " .$_SERVER["SERVER_NAME"] ."\n";
+ $message .= "S_ADDR: " .$_SERVER["SERVER_ADDR"] ."\n";
+ $to = 'cdukes@cdukes.com';
+ $subject = 'Php-syslog-ng Callhome';
+ $from = $_SERVER["SERVER_ADMIN"] . "@" .$_SERVER["HTTP_HOST"];
+ $headers = "From: $from" . "\r\n" .
+ "Reply-To: $from" . "\r\n" .
+ 'X-Mailer: PHP/' . phpversion();
+ mail($to, $subject, $message, $headers);
+

+ // Now write a "tickle" file so we don't call home more than once
+ $Content = "Tickle file to suppress subsequent calls home, it's safe to delete this file, but you may also want to set CALLHOME to FALSE in your config.php\r\n";
+ $handle = fopen($filename, 'x+');
+ fwrite($handle, $Content);
+ fclose($handle);
+ }
+}
+?>

Before performing the installation.

I don't think I've missed anything, but you'll probably want to eyeball it anyway just to be safe. Some people have funny revision control systems.

Oh and don't forget to document the changes ;)

Thanks again to our anonymous reporter, I'll leave you with that for tonight.

Stay Secure.
MacLeonard