[Full-Disclosure] Possible apache2/php 4.3.9 worm
dk at pwarchitects.com
Tue Dec 28 01:20:03 GMT 2004
DanB UK wrote:
>>Do read the code carefully though Dan. Right off hand I can see errors
>>that were also in the code posted to bugtraq on the 20th; K-OTik may
>>have added more, dunno.
> It is probable that they have added errors in. To curb the script
> kiddies picking things up and modifying it and releasing it.
Yeah, I think it has been mentioned here that K-otik does this with
their posted code, which is fine by me. :)
> I have a bit of a worry about that and my talk, whether or not to
> release my sample code. It could be used quite evilly if the intention
> was there. I probably won't.
I have had concern about this as well, but remain a staunch supported of
the Full Disclosure concept sprinkled with some common sense. With the
time to live for virii/worms/exploits this year (from disclosure of bug
to malware exploiting it) it's obvious that the "bar" is getting
progressively lower each year in regards to the skill set it takes to
develop this code. Which is a shame, as developing that skill over time
lends itself to a better understanding of the responsibility that comes
So a PoC or code that is missing key parts (that a skilled person could
decipher), or an Advisory that informs the author(s) before the general
public seems a socially responsible way to address bugs in our current
climate. It /is/ hard not to share your work with others, and ultimately
does everyone a disservice in the end not to disseminate the knowledge. :)
There has been an interesting discussion regarding this on Bugtraq in
regards to Prof D. J. Bernstein's class "MCS 494: Unix
Security Holes" at UofI @ Chicago.
I was a bit surprised how vocal both he and one of his students,
Jonathan Rockway, were in the thread(s) concerning disclosure; but it
was nice to see them participate in it (and disclose the bugs they found
in the first place of course).
Yet they both seemed to disassociated themselves with many of the
real-world effects their disclosure decisions have. It would seem the
comfort of Academia colors things to those within it's walls. It was a
shame to see an obviously intelligent, skilled & adept math/cs professor
miss the mark on some of the social implications his work has on the
world -- outside of the constrained scope of his coursework.
To me, it just highlighted the very problem he was trying to address.
Namely, that some individuals or teams do not take responsibility for
their actions outside of the limited issues they directly identify with;
whether that be application coder or bug hunter. :(
Full-Disclosure is hosted and sponsored by Secunia.