FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Shocking amount of PHP security holes? [message #171079 is a reply to message #171077] Thu, 23 December 2010 18:42 Go to previous messageGo to previous message
Norman Peelman is currently offline  Norman Peelman
Messages: 126
Registered: September 2010
Karma:
Senior Member
Ignoramus30015 wrote:
> I have been looking at my apache logs, and I see a tremendous amount
> of queries that clearly are attempts to hack me.
>
> One typical example
>
> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>

In this case apache returned a '404 Page not found'

> Many other examples about, where attackers try to override system
> variables with web-supplied parameters. Kind of overriding PATH or
> LD_LIBRARY_PATH variables to subvert setuid programs.
>
> My main question is WTF? Why exactly does PHP let remote web users
> override those variables?
>

Can you supply an example of this?

> This situation is why I never permit php software on my servers, with
> exception of mediawiki. Even here I am very reluctant.
>
> I use another language to make websites, and in that language web
> parameters can be received by querying for them specifically, they do
> not clobber system variables.
>
> Can someone shed light on this, this question bugs me a great deal.
>
> i
>


--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 06:13:24 GMT 2024

Total time taken to generate the page: 0.04424 seconds