Posted by shimmyshack on 02/23/07 18:38

On 23 Feb, 18:02, Rik <luiheidsgoe...@hotmail.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote:
> Rik <luiheidsgoe...@hotmail.com> wrote:
> >> Rik <luiheidsgoe...@hotmail.com> wrote:
> >> > shimmyshack <matt.fa...@gmail.com> wrote:
> >> >> This is the only statement in my httpd.conf:
>
> >> >> AddType application/x-httpd-php .php
>
> >> >> and yet the attack works.
> >> >> The server doesnt have to be set up to parse every doc for php, that
> >> >> was an assumption.
> >> >> Has anyone here tried it on their server?
>
> >> > Attack does not work here on the local server....
>
> >> And the live server is also safe :-)
>
> > out of interest what are you running, is php a module, ta.
>
> Homebox:
> W2K, Apache 2.2.2, PHP 5.1.4 as a module.
>
> Live server:
> FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a module.
>
> But it's all about configuration offcourse :P
> --
> Rik Wasmus

Rik,
Ive sent you an email to the hotmail address luihei...
just to help me clear up a few details. Thanks for the above details.

I should make it clear to anyone interested that the type of exploit
we're talking about does NOT involve saving php code with a jpg
extension and then calling it in a browser:

<?php system('echo hello > hello.htm'); ?>
saved as hello.jpg, and then called using
htpp://server.com/hello.jpg

now that wouldn't usualy work unless you've asked your server to parse
jpgs looking for php code, which is why its a bad idea in general.

The type of attack that usually DOES work on a windows box is to embed
php code inside the binary header of a jpg, usually using a tool to do
it. Even if the server is set up to only parse .php files, it will
still execute the embedded php code inside a jpg.
more info see:
http://milw0rm.com/video/watch.php?id=57

do no evil

• Next in forum: Re: Qustion on viewing code
• Prev in forum: Re: Qustion on viewing code
• Thread view: Re: Qustion on viewing code

[Reply to this message]