[Owncloud] cgi-bin attacks

Wed Jan 29 22:13:53 UTC 2014

Hi there,
so I'm running on nginx and as I can see there is nothing about cgi-bin in
those settings. I'm familiar with apache but not too much with nginx so
just wanted to make sure if that can cause me trouble.

regards,
Mohammad

====================
Mohammad Naghavi

Software engineer & analyst
Senior web and desktop developer
naghavi.me

   - at.linkedin.com/in/mohamnag/

On Wed, Jan 29, 2014 at 2:02 PM, Erwin Rennert <rennert at zsi.at> wrote:

> On 01/29/2014 01:41 PM, Mohammad Naghavi wrote:
>
>> Hi everybody,
>> I'm new to owncloud and just started using it since two days but I just
>> found out that I have been just attacked. they are trying requests
>> similar to the following with different target urls:
>> 
>>
>> quest: "POST
>> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%
>> 63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%
>> 65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%
>> 6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
>> 5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%
>> 5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%
>> 5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%
>> 69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%
>> 64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%
>> 72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
>> HTTP/1.1", host: "
>> XXX.XXX.XXX.XXX"
>>
>> which decodes to:
>>
>> quest: "POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d
>> suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d
>> auto_prepend_file=php://input -d cgi.force_redirect=0 -d
>> cgi.redirect_status_env=0 -n HTTP/1.1", host: "XXX.XXX.XXX.XXX"
>>
>> I'm using OC 6.0.1 and I want to know if my server is prone to such
>> attacks or not.
>>
>
> See http://security.stackexchange.com/questions/46566/protect-
> against-post-cgi-bin-php-attacks
>
> Your server is prone to such attacks, if it uses cgi-bin directives in
> it's apache configuration. This is an apache configuration issue, not
> specifically OwnCloud.
>
> Good luck;
> Erwin
>
>
>
>> regards,
>> Mohammad
>>
>> !DSPAM:52e8f76916541752919656!
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>>
>> !DSPAM:52e8f76916541752919656!
>>
>>
>
> --
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> Erwin Rennert, IT Services
> Center for Social Innovation
>
> A-1150 Wien, Linke Wienzeile 246
> Austria, Europe
>
> Phone: ++43-1-495 04 42 - 61
> Facsimile: ++43-1-495 04 42 - 40
> http://www.zsi.at/
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20140129/96828e15/attachment.html>