FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Shocking amount of PHP security holes? [message #171085 is a reply to message #171081] Thu, 23 December 2010 21:26 Go to previous messageGo to previous message
Ignoramus30015 is currently offline  Ignoramus30015
Messages: 4
Registered: December 2010
Karma:
Junior Member
On 2010-12-23, The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
> Norman Peelman wrote:
>> Ignoramus30015 wrote:
>>> I have been looking at my apache logs, and I see a tremendous amount
>>> of queries that clearly are attempts to hack me.
>>> One typical example
>>>
>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
>>> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
>>> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
>>> sun4u; X11)" my.site.com
>>>
>>
>> In this case apache returned a '404 Page not found'
>>
>>> Many other examples about, where attackers try to override system
>>> variables with web-supplied parameters. Kind of overriding PATH or
>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>
>>> My main question is WTF? Why exactly does PHP let remote web users
>>> override those variables?
>>>
>>
>> Can you supply an example of this?
>>
>>> This situation is why I never permit php software on my servers, with
>>> exception of mediawiki. Even here I am very reluctant.
>>> I use another language to make websites, and in that language web
>>> parameters can be received by querying for them specifically, they do
>>> not clobber system variables.
>>>
>>> Can someone shed light on this, this question bugs me a great deal.
>>>
>>> i
>>>
>>
>>
> Indeed.My sites show persistent attempts to access something called
> phpmyadmin.php, whatever that is..
>
> The problem is sites written not even in php, but in something like
> joomla over PHP, were its made very easy to use and contains well known
> files in well known places that have administrative privileges.
>
> All such files I place behind an .htaccess protected directory whose
> existence and the names are non obvous. And whose accesses are carefully
> logged.
>
> Ease of use for noobs to get stuff working always and inevitably carries
> the risk of ease of use for smarts to take control of.
>
>
>
>

I am not sure if I agree 100%. I think that if web queries did not
override variables, it would be several times safer. Of course, if a
developer does not valudate filenames, permitting something like
.../../../../etc/passwd or some such, they would get hacked, but at
least they would not be screwed unwittingly.


i
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 05:42:25 GMT 2024

Total time taken to generate the page: 0.05450 seconds