| Re: Shocking amount of PHP security holes? [message #171133 is a reply to message #171083] |
Mon, 27 December 2010 08:22   |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma:
|
Senior Member |
|
|
El 23/12/2010 22:16, Ignoramus30015 escribió/wrote:
> On 2010-12-23, ?lvaro G. Vicario<alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>> El 23/12/2010 16:39, Ignoramus30015 escribi?/wrote:
>>> I have been looking at my apache logs, and I see a tremendous amount
>>> of queries that clearly are attempts to hack me.
>>>
>>> One typical example
>>>
>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>>>
>>> Many other examples about, where attackers try to override system
>>> variables with web-supplied parameters. Kind of overriding PATH or
>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>
>>> My main question is WTF? Why exactly does PHP let remote web users
>>> override those variables?
>>
>> It was a wrong design decision taken by the PHP team many years ago. In
>> earlier versions PHP would automatically create variables from several
>> input sources so you could code<input type="text" name="email"> and
>> automatically get user data available at $email. After that, the web
>> evolved, security become a concern and this feature was (kind of) disabled.
>
> Thanks. Is there a way to for sure disable it, across the board, for
> all PHP programs?
As you've said in other threads, the feature is called "register
globals". It's disabled by default in any PHP version released in the
last years, just make sure it's disabled and you'll be fine.
If you're worried about the subject you may want to read the security
chapter in the PHP manual:
http://es.php.net/manual/en/security.php
> Do you know if mediawiki has any recently known security holes
> exploitable by non-registered users?
I haven't used that piece of software but I bet the answer is "yes" ;-)
Just try to keep configure securely and keep it updated, like you do
with SSH, OpenSSL or the Linux kernel. Almost all exploits are based of
bugs that are already fixed.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]