FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Shocking amount of PHP security holes? [message #171077] Thu, 23 December 2010 15:39 Go to previous message
Ignoramus30015 is currently offline  Ignoramus30015
Messages: 4
Registered: December 2010
Karma:
Junior Member
I have been looking at my apache logs, and I see a tremendous amount
of queries that clearly are attempts to hack me.

One typical example

87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com

Many other examples about, where attackers try to override system
variables with web-supplied parameters. Kind of overriding PATH or
LD_LIBRARY_PATH variables to subvert setuid programs.

My main question is WTF? Why exactly does PHP let remote web users
override those variables?

This situation is why I never permit php software on my servers, with
exception of mediawiki. Even here I am very reluctant.

I use another language to make websites, and in that language web
parameters can be received by querying for them specifically, they do
not clobber system variables.

Can someone shed light on this, this question bugs me a great deal.

i
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 10 16:33:47 GMT 2024

Total time taken to generate the page: 0.04916 seconds