FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Shocking amount of PHP security holes?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Shocking amount of PHP security holes? [message #171081 is a reply to message #171079] Thu, 23 December 2010 18:49 Go to previous messageGo to previous message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
Senior Member
Norman Peelman wrote:
> Ignoramus30015 wrote:
>> I have been looking at my apache logs, and I see a tremendous amount
>> of queries that clearly are attempts to hack me.
>> One typical example
>>
>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
>> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
>> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
>> sun4u; X11)" my.site.com
>>
>
> In this case apache returned a '404 Page not found'
>
>> Many other examples about, where attackers try to override system
>> variables with web-supplied parameters. Kind of overriding PATH or
>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>
>> My main question is WTF? Why exactly does PHP let remote web users
>> override those variables?
>>
>
> Can you supply an example of this?
>
>> This situation is why I never permit php software on my servers, with
>> exception of mediawiki. Even here I am very reluctant.
>> I use another language to make websites, and in that language web
>> parameters can be received by querying for them specifically, they do
>> not clobber system variables.
>>
>> Can someone shed light on this, this question bugs me a great deal.
>>
>> i
>>
>
>
Indeed.My sites show persistent attempts to access something called
phpmyadmin.php, whatever that is..

The problem is sites written not even in php, but in something like
joomla over PHP, were its made very easy to use and contains well known
files in well known places that have administrative privileges.

All such files I place behind an .htaccess protected directory whose
existence and the names are non obvous. And whose accesses are carefully
logged.

Ease of use for noobs to get stuff working always and inevitably carries
the risk of ease of use for smarts to take control of.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP
Next Topic: PHP WEBSITE DEVELOPER REQUIRED
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 03:08:53 GMT 2024

Total time taken to generate the page: 0.05198 seconds