Re: Strange Apache log entry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Aug 29, 2010 at 12:45:53AM -0700, Gordon Messmer wrote:
> On 08/28/2010 05:30 AM, Stephen Harris wrote:
> > In general it's not just PHP; it could be perl, script.. anything
> > eg this extremely bad and broken CGI program:
> 
> That's true, but /proc/environ isn't in a format that's valid for most 
> languages.  If a PHP script can be made to include /proc/environ, code 

There's nothing special about /proc/$$/environ.  All the variables in there
are already available to the process.  eg
  #!/bin/sh
  echo Content-Type: text/plain
  echo
  env
shows everything in the environment

> can be injected by the caller.  For instance, their Agent string could 
> include PHP code which would end up executed.  Other languages may not 

If a shell script can be tricked into running (be badly written so that
it runs an) eval statement on a variable then code can be injected in
the same way.  A perl programming calling ` ` on an unchecked string,
a C program calling system() on unchecked string, a shell script
calling subshells...  In fact that's how early code injection worked.
If you see %60 or %3B in the query_string then it's a good chance of an
attempted code injection.

Badly written CGI programs are badly written CGI programs no matter
what language they're written in.  The exact nature of the exploit may
be different, but they all fall into a similar class - the programmer
****ed up.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux