These instructions are for the users and system administrators of institutions that use the LILDBI-WEB application to manage their reference information sources.
On June 21st, 2010, the BIREME/PAHO/WHO team identified a security vulnerability which can be exploited in that application, therefore we ask system administrators to read carefully the instructions and follow the recommended procedure.
Affected Sites
The following procedures are primarily intended for LILDBI-WEB instances that are accessible from the Internet or intranet.
Motivation
Due to system vulnerabilities, we request all system administators who manage LILDBI-WEB instances to apply this procedure.
Procedure
1 – Protect directories
Remove write and execute permissions from the directory configured as DocumentRoot and all its sub-directories and files as follows.
Linux:
find ./htdocs -type d | xargs -i echo \"{}\" | xargs chmod 555
find ./htdocs -type f | xargs -i echo \"{}\" | xargs chmod 544
Windows: see LILDBI-WEB-protection-WIN
2 – Disable file upload and import
Replace the PHP files of your LILDBI-WEB instance with those in the attached package. This package should be unpacked in the directory named lildbi/ where the LILDBI-WEB instance is installed.
Link for the files:
Linux:
cd lildbi tar xvzpf lildbi_linux_indisp.tar.gz
Windows: see LILDBI-WEB-protection-WIN
With this procedure, the document upload and ISO import facities will be disabled, displaying the message “temporarily disabled”, until we send you the replacement files without the reported vulnerabilities.
3 – Next stages