Posted by shimmyshack on 02/23/07 19:36

On 23 Feb, 19:11, "Steve" <no....@example.com> wrote:
> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>
> news:1172257128.974602.324590@z35g2000cwz.googlegroups.com...
> | On 23 Feb, 18:38, "Steve" <no....@example.com> wrote:
> | > "Rik" <luiheidsgoe...@hotmail.com> wrote in message
> | >
> | >news:op.tn7q1znlqnv3q9@misant...|shimmyshack <matt.fa...@gmail.com>
> wrote:
> | > | Rik <luiheidsgoe...@hotmail.com> wrote:
> | >
> | > | >> Rik <luiheidsgoe...@hotmail.com> wrote:
> | > | >> > shimmyshack <matt.fa...@gmail.com> wrote:
> | > | >> >> This is the only statement in my httpd.conf:
> | > | >>
> | > | >> >> AddType application/x-httpd-php .php
> | > | >>
> | > | >> >> and yet the attack works.
> | > | >> >> The server doesnt have to be set up to parse every doc for php,
> that
> | > | >> >> was an assumption.
> | > | >> >> Has anyone here tried it on their server?
> | > | >>
> | > | >> > Attack does not work here on the local server....
> | > | >>
> | > | >> And the live server is also safe :-)
> | > | >
> | > | > out of interest what are you running, is php a module, ta.
> | > |
> | > | Homebox:
> | > | W2K, Apache 2.2.2, PHP 5.1.4 as a module.
> | > |
> | > | Live server:
> | > | FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a
> module.
> | >
> | > lol. it feels that way some times don't it. ;^)
> |
> | steve with regards your previous offer, the phrase "i'm not worthy"
> | flashes into my shrivelled brain. Although of course it would be fun,
> | have you taken a look at the great CAL9000 stuff from RSnake (http://
> |www.owasp.org/index.php/Category:OWASP_CAL9000_Project)?While not
> | specifically aimed at server side pen testing, it is the vector by
> | which your code could be introduced.
>
> i'm pretty clueless with hacking methods not too far into the topic. i do
> have script that 'inventories' a site. the information it provides is a good
> documentation tool when presenting file dependencies or architecture...it is
> also scary to believe that i could execute it on someone else's server.
>
> i'll have a look at the link. the real test is knowing how to introduce the
> script so that it can be executed. failing the test would mean that i know
> more than enough about the site tested to control it at will. i'll have to
> shelve it for a while till i can get to putting it all together.
>
> cheers

send me an email when you have time, and I'll do what I can to help in
any way I can, it sounds like a very interesting project, and useful
too. Might be a welcome addon to OWASP who have inttroduced the PHP
top ten and would support the ongoing effort into a project like this.
Not too sure about the name though!

• Next in forum: Re: Qustion on viewing code
• Prev in forum: Re: Qustion on viewing code
• Thread view: Re: Qustion on viewing code

[Reply to this message]