LILDBI-WEB-protection

De Wiki REDDES

--> Esta página em Português --> Esta página en Español

These instructions are for the users and system administrators of institutions that use the LILDBI-WEB application to manage their reference information sources.

On June 21st, 2010, the BIREME/PAHO/WHO team identified a security vulnerability which can be exploited in that application, therefore we ask system administrators to read carefully the instructions and follow the recommended procedure.

Tabla de contenidos

Affected Sites

The following procedures are primarily intended for LILDBI-WEB instances that are accessible from the Internet or intranet.

Motivation

Due to system vulnerabilities, we request all system administators who manage LILDBI-WEB instances to apply this procedure.

Procedure

1 - Protect directories

Remove write and execute permissions from the directory configured as DocumentRoot and all its sub-directories and files as follows.

Linux:

find ./htdocs -type d | xargs -i echo \"{}\" | xargs chmod 555
find ./htdocs -type f | xargs -i echo \"{}\" | xargs chmod 544

Windows: see LILDBI-WEB-protection-WIN

2 - Disable file upload and import

Replace the PHP files of your LILDBI-WEB instance with those in the attached package. This package should be unpacked in the directory named lildbi/ where the LILDBI-WEB instance is installed.

Link for the files:

Linux

Windows


Linux:

cd lildbi
tar xvzpf lildbi_linux_indisp.tar.gz

Windows: see LILDBI-WEB-protection-WIN

With this procedure, the document upload and ISO import facities will be disabled, displaying the message "temporarily disabled", until we send you the replacement files without the reported vulnerabilities.

3 - Next stages

Herramientas personales