Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

warning: poorly written php exploit

reminder to always protect your code



11:18 pm on May 23, 2004 (gmt 0)

10+ Year Member

A new site of mine has been hit repeatedly with the request:


My file "email.php" was designed to read a URL from my website (defined in var 'page') and send it to a requested email address. This hack attempts to fool my site into reading remotely the following code:

<modnote - code removed>

It's too early for me to understand exactly what this code does. Perhaps someone can shed some light on the topic?

While I'm a paranoid coder and this exploit does not work on my site (I check all 'page' variables to ensure they actually exist as a page on my site), a little research shows that other webmasters have been hit with similar hacks that have brought networks to a halt. Again, it has targeted php pages that read local files via the query string (think about all those index.php?include=mypage.php content system designs...)

Just a warning to those using QS file references. Escape variables, check that files exist on your servers, etc.

You can never be too paranoid!

[edited by: jatar_k at 2:24 am (utc) on May 24, 2004]


12:44 am on May 24, 2004 (gmt 0)

10+ Year Member

this is a script to allow command execusion on the server. my suggestion, if you have not already done so, is to modify the code slightly so others wont use it.


2:27 am on May 24, 2004 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

that code, which we will not post again ;), is specific to My_eGallery for PHPNuke.

the information about it can be found here
Security issues in My_eGallery for PHPNuke [lottasophie.sourceforge.net]

phpnuke has had numerous problems and as mentioned in that article

I do not intend to maintain My_eGallery for PHPNuke

but it would seem that My_eGallery has been fixed.

there is also a mention here

Let this serve as a reminder to always patch code, be careful of what packages you install on your server/site and always take all necessary precautions when coding.


2:55 am on May 24, 2004 (gmt 0)

10+ Year Member

You're right, I later saw the code reproduced in reference to the 'My_eGallery' problem. Apologies for reproducing it here!

While it affects My_eGallery, I believe it has the potential to exploit any site that reads URL's via the QS. I suspect this is why my site was targeted (I do not run My_eGallery, nor use any unofficial php applications / packages).


Featured Threads

Hot Threads This Week

Hot Threads This Month