| Re: Shocking amount of PHP security holes? [message #171088 is a reply to message #171085] |
Fri, 24 December 2010 12:09   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
Ignoramus30015 wrote:
> On 2010-12-23, The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:
>> Norman Peelman wrote:
>>> Ignoramus30015 wrote:
>>>> I have been looking at my apache logs, and I see a tremendous amount
>>>> of queries that clearly are attempts to hack me.
>>>> One typical example
>>>>
>>>> 87.121.164.1 - - [22/Dec/2010:00:01:10 -0600] "GET
>>>> /manuals/index.php?bi=./../../../../../../../../../../../etc/passwd%00
>>>> HTTP/1.0" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9
>>>> sun4u; X11)" my.site.com
>>>>
>>> In this case apache returned a '404 Page not found'
>>>
>>>> Many other examples about, where attackers try to override system
>>>> variables with web-supplied parameters. Kind of overriding PATH or
>>>> LD_LIBRARY_PATH variables to subvert setuid programs.
>>>>
>>>> My main question is WTF? Why exactly does PHP let remote web users
>>>> override those variables?
>>>>
>>> Can you supply an example of this?
>>>
>>>> This situation is why I never permit php software on my servers, with
>>>> exception of mediawiki. Even here I am very reluctant.
>>>> I use another language to make websites, and in that language web
>>>> parameters can be received by querying for them specifically, they do
>>>> not clobber system variables.
>>>>
>>>> Can someone shed light on this, this question bugs me a great deal.
>>>>
>>>> i
>>>>
>>>
>> Indeed.My sites show persistent attempts to access something called
>> phpmyadmin.php, whatever that is..
>>
>> The problem is sites written not even in php, but in something like
>> joomla over PHP, were its made very easy to use and contains well known
>> files in well known places that have administrative privileges.
>>
>> All such files I place behind an .htaccess protected directory whose
>> existence and the names are non obvous. And whose accesses are carefully
>> logged.
>>
>> Ease of use for noobs to get stuff working always and inevitably carries
>> the risk of ease of use for smarts to take control of.
>>
>>
>>
>>
>
> I am not sure if I agree 100%. I think that if web queries did not
> override variables, it would be several times safer. Of course, if a
> developer does not valudate filenames, permitting something like
> ../../../../etc/passwd or some such, they would get hacked, but at
> least they would not be screwed unwittingly.
>
Its a judgement call. Nothing is 100% safe, and the easier it is to use
the less safe it tends to be.
I try to write my code so the pages return only precisely what they
should, or at worst, something the user could have got anyway.
>
> i
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]