| Re: Shocking amount of PHP security holes? [message #171079 is a reply to message #171077] |
Thu, 23 December 2010 18:42   |
Norman Peelman
Messages: 126
Registered: September 2010
Karma:
|
Senior Member |
|
|
Ignoramus30015 wrote:
> I have been looking at my apache logs, and I see a tremendous amount
> of queries that clearly are attempts to hack me.
>
> One typical example
>
> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)" my.site.com
>
In this case apache returned a '404 Page not found'
> Many other examples about, where attackers try to override system
> variables with web-supplied parameters. Kind of overriding PATH or
> LD_LIBRARY_PATH variables to subvert setuid programs.
>
> My main question is WTF? Why exactly does PHP let remote web users
> override those variables?
>
Can you supply an example of this?
> This situation is why I never permit php software on my servers, with
> exception of mediawiki. Even here I am very reluctant.
>
> I use another language to make websites, and in that language web
> parameters can be received by querying for them specifically, they do
> not clobber system variables.
>
> Can someone shed light on this, this question bugs me a great deal.
>
> i
>
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]