Re: help needed

To: debian-security@lists.debian.org
Cc: Bjoern Boschman <bjoern@boschman.de>
Subject: Re: help needed
From: Heilig Szabolcs <debian-reader@phphost.hu>
Date: Mon, 06 Nov 2006 11:19:20 +0100
Message-id: <[🔎] 454F0C28.3000100@phphost.hu>
In-reply-to: <[🔎] 454F0484.7090703@boschman.de>
References: <[🔎] 454EF573.8090603@boschman.de> <[🔎] Pine.LNX.4.62.0611061006240.2356@bobo.thuis.net> <[🔎] 454F0484.7090703@boschman.de>

Hello!

http://jesusch.de/~jesusch/tmp/access.log


There are many log entries with "something=http://"; style
pattern. These are common attack methods against default configured
servers with poorly written applications. Many of these rely on
register_globals=on php.ini setting. Turn it off first globally.
This may break some old PHP apps, but you can turn it back on
in virtualhosts locally.

at that mentioned time someone at least tried to access pages which arenot accessable (index.php?img=1 e.g.)
ther definately might be a problem in the code:

if ( $_GET['page'] ) {
        include $_GET['page'].'/index.php';
}


Yes, that code is very dangerous. Vulnerable,
whether you turn off register_globals or not.
It uses $_GET['page'] variable without checking
its content.

Attackers successfully included that code for example:
http://home.comcast.net/~mr-meeks/r57.txt

My suggestion: turn allow_url_fopen off globbaly
in php.ini too. One small step to security with
minimal loss of functionality...

--
Szabolcs heilig
cece@phphost.hu

Reply to:

Follow-Ups:
- Re: help needed
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- help needed
  - From: Bjoern Boschman <bjoern@boschman.de>
- Re: help needed
  - From: Arthur de Jong <adejong@debian.org>
- Re: help needed
  - From: Bjoern Boschman <bjoern@boschman.de>

Prev by Date: Re: help needed
Next by Date: Re: help needed
Previous by thread: Re: help needed
Next by thread: Re: help needed
Index(es):
- Date
- Thread