Santy-Worm

Re: Santy-Worm

by Hannes Gassert -
Number of replies: 0
It definitely isn't an attack on PHP itself, only 'bad' scripts not checking input data are vulnerable. Santy is not attacking a PHP bug, see various posting on http://planet-php.net.

I think claiming to be SURE there's no such vulnerability in ALL the Moodle code is pretty brave, considering the overall coding style I wouldn't be THAT sure - as with any project of this size.

Therefore I recommend fighting Santy with some lines in the top-level .htaccess file or, if you can, in httpd.conf. For example:


RewriteEngine On
RewriteCond %{QUERY_STRING} cd%20/tmp
RewriteRule .* / [F]


or even more specificly targeting the Santy worm: 

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT}  .*LWP::Simple.*
RewriteRule .*  / [F]
RewriteCond %{HTTP_USER_AGENT}  .*lwp-.*
RewriteRule .*  / [F]
Instead of "/" you could of course use another, very small file or redirect to somewhere else.

Kind regards, Hannes
Average of ratings: -