[CS-FSLUG] PHP vulnerabilities?

Legatus lists at runyanrants.net
Thu Jun 1 22:32:48 CDT 2006

Don Parris wrote:
> On 6/1/06, Ed Hurst <ehurst at asisaid.com> wrote:
>> Brothers and Sisters, I'm puzzled by something. On my blog, I get the
>> usual attempts at link spam in the comments. Often, the link points to
>> files hidden on a server running some kind of PHP forum. Whenever I
>> notify the proper POC, the files are quickly removed in most cases.
>> Recently, an admin went crazy trying to find the file, but I was able to
>> wget the thing -- 99% was obfuscated JScript code, plus a few lines of text.
>> Then I read where an ostensibly Christian (Apostolic) PHP forum is found
>> hosting a bunch of really nasty malware files:
>> http://blog.spywareguide.com/2006/06/we_promised_botnet_crazy.html
>> Just how do miscreants slip past the security? I know of a couple of
>> these forums where the security seemed pretty tight, yet this stuff was
>> injected into the file structure.
> I don't have the answer to your question, but that was educational.
> Don

They don't exploit the security holes in the sense that a admin didn't 
tighten things down. They exploit security vulnerabilities in the 
software itself. They find an exploit in PHP, or Apache. PHP has had a 
harried life of vulnerabilities, and web masters tend to be slow to 
update, because updates often have broken sites. I haven't had this 
issue in the last couple of years, but the early days of PHP bit a lot 
of folks. The file probably doesn't exist. It is probably a embedded in 
a PHP script, and the query string calls a function that then generates 
the the file for download. The offending file was probably injected 
using a buffer overflow or other vulnerability in PHP, or by accessing 
another site on the same server that has a flaky file upload script, 
that will allow people to add a full path the the file they are 
uploading, thus putting the file exactly where they want. There are 
probably a hundred other ways to do this. Most people who add these 
things revel in the challenge of getting it there undetected. It is like 
solving a rubic cube.

More information about the Christiansource mailing list