Shocking amount of PHP security holes? [message #171077] |
Thu, 23 December 2010 15:39 |
Ignoramus30015
Messages: 4 Registered: December 2010
Karma:
|
Junior Member |
|
|
I have been looking at my apache logs, and I see a tremendous amount
of queries that clearly are attempts to hack me.
One typical example
87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
Many other examples about, where attackers try to override system
variables with web-supplied parameters. Kind of overriding PATH or
LD_LIBRARY_PATH variables to subvert setuid programs.
My main question is WTF? Why exactly does PHP let remote web users
override those variables?
This situation is why I never permit php software on my servers, with
exception of mediawiki. Even here I am very reluctant.
I use another language to make websites, and in that language web
parameters can be received by querying for them specifically, they do
not clobber system variables.
Can someone shed light on this, this question bugs me a great deal.
i
|
|
|