| Re: Shocking amount of PHP security holes? [message #171085 is a reply to message #171081] |
Thu, 23 December 2010 21:26   |
Ignoramus30015
Messages: 4
Registered: December 2010
Karma:
|
Junior Member |
|
|
On 2010-12-23, The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
> Norman Peelman wrote:
>> Ignoramus30015 wrote:
>>> I have been looking at my apache logs, and I see a tremendous amount
>>> of queries that clearly are attempts to hack me.
>>> One typical example
>>>
>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
>>> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
>>> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
>>> sun4u; X11)" my.site.com
>>>
>>
>> In this case apache returned a '404 Page not found'
>>
>>> Many other examples about, where attackers try to override system
>>> variables with web-supplied parameters. Kind of overriding PATH or
>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>
>>> My main question is WTF? Why exactly does PHP let remote web users
>>> override those variables?
>>>
>>
>> Can you supply an example of this?
>>
>>> This situation is why I never permit php software on my servers, with
>>> exception of mediawiki. Even here I am very reluctant.
>>> I use another language to make websites, and in that language web
>>> parameters can be received by querying for them specifically, they do
>>> not clobber system variables.
>>>
>>> Can someone shed light on this, this question bugs me a great deal.
>>>
>>> i
>>>
>>
>>
> Indeed.My sites show persistent attempts to access something called
> phpmyadmin.php, whatever that is..
>
> The problem is sites written not even in php, but in something like
> joomla over PHP, were its made very easy to use and contains well known
> files in well known places that have administrative privileges.
>
> All such files I place behind an .htaccess protected directory whose
> existence and the names are non obvous. And whose accesses are carefully
> logged.
>
> Ease of use for noobs to get stuff working always and inevitably carries
> the risk of ease of use for smarts to take control of.
>
>
>
>
I am not sure if I agree 100%. I think that if web queries did not
override variables, it would be several times safer. Of course, if a
developer does not valudate filenames, permitting something like
.../../../../etc/passwd or some such, they would get hacked, but at
least they would not be screwed unwittingly.
i
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]