| Re: Shocking amount of PHP security holes? [message #171081 is a reply to message #171079] |
Thu, 23 December 2010 18:49   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
Norman Peelman wrote:
> Ignoramus30015 wrote:
>> I have been looking at my apache logs, and I see a tremendous amount
>> of queries that clearly are attempts to hack me.
>> One typical example
>>
>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
>> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
>> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
>> sun4u; X11)" my.site.com
>>
>
> In this case apache returned a '404 Page not found'
>
>> Many other examples about, where attackers try to override system
>> variables with web-supplied parameters. Kind of overriding PATH or
>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>
>> My main question is WTF? Why exactly does PHP let remote web users
>> override those variables?
>>
>
> Can you supply an example of this?
>
>> This situation is why I never permit php software on my servers, with
>> exception of mediawiki. Even here I am very reluctant.
>> I use another language to make websites, and in that language web
>> parameters can be received by querying for them specifically, they do
>> not clobber system variables.
>>
>> Can someone shed light on this, this question bugs me a great deal.
>>
>> i
>>
>
>
Indeed.My sites show persistent attempts to access something called
phpmyadmin.php, whatever that is..
The problem is sites written not even in php, but in something like
joomla over PHP, were its made very easy to use and contains well known
files in well known places that have administrative privileges.
All such files I place behind an .htaccess protected directory whose
existence and the names are non obvous. And whose accesses are carefully
logged.
Ease of use for noobs to get stuff working always and inevitably carries
the risk of ease of use for smarts to take control of.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]