[CS-FSLUG] PHP vulnerabilities?
Legatus
lists at runyanrants.net
Thu Jun 1 22:32:48 CDT 2006
Don Parris wrote:
> On 6/1/06, Ed Hurst <ehurst at asisaid.com> wrote:
>> Brothers and Sisters, I'm puzzled by something. On my blog, I get the
>> usual attempts at link spam in the comments. Often, the link points to
>> files hidden on a server running some kind of PHP forum. Whenever I
>> notify the proper POC, the files are quickly removed in most cases.
>> Recently, an admin went crazy trying to find the file, but I was able to
>> wget the thing -- 99% was obfuscated JScript code, plus a few lines of text.
>>
>> Then I read where an ostensibly Christian (Apostolic) PHP forum is found
>> hosting a bunch of really nasty malware files:
>>
>> http://blog.spywareguide.com/2006/06/we_promised_botnet_crazy.html
>>
>> Just how do miscreants slip past the security? I know of a couple of
>> these forums where the security seemed pretty tight, yet this stuff was
>> injected into the file structure.
>>
>
> I don't have the answer to your question, but that was educational.
>
> Don
They don't exploit the security holes in the sense that a admin didn't
tighten things down. They exploit security vulnerabilities in the
software itself. They find an exploit in PHP, or Apache. PHP has had a
harried life of vulnerabilities, and web masters tend to be slow to
update, because updates often have broken sites. I haven't had this
issue in the last couple of years, but the early days of PHP bit a lot
of folks. The file probably doesn't exist. It is probably a embedded in
a PHP script, and the query string calls a function that then generates
the the file for download. The offending file was probably injected
using a buffer overflow or other vulnerability in PHP, or by accessing
another site on the same server that has a flaky file upload script,
that will allow people to add a full path the the file they are
uploading, thus putting the file exactly where they want. There are
probably a hundred other ways to do this. Most people who add these
things revel in the challenge of getting it there undetected. It is like
solving a rubic cube.
More information about the Christiansource
mailing list