Reply to Re: Qustion on viewing code

Your name:

Reply:


Posted by shimmyshack on 02/23/07 18:38

On 23 Feb, 18:02, Rik <luiheidsgoe...@hotmail.com> wrote:
> shimmyshack <matt.fa...@gmail.com> wrote:
> Rik <luiheidsgoe...@hotmail.com> wrote:
> >> Rik <luiheidsgoe...@hotmail.com> wrote:
> >> > shimmyshack <matt.fa...@gmail.com> wrote:
> >> >> This is the only statement in my httpd.conf:
>
> >> >> AddType application/x-httpd-php .php
>
> >> >> and yet the attack works.
> >> >> The server doesnt have to be set up to parse every doc for php, that
> >> >> was an assumption.
> >> >> Has anyone here tried it on their server?
>
> >> > Attack does not work here on the local server....
>
> >> And the live server is also safe :-)
>
> > out of interest what are you running, is php a module, ta.
>
> Homebox:
> W2K, Apache 2.2.2, PHP 5.1.4 as a module.
>
> Live server:
> FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a module.
>
> But it's all about configuration offcourse :P
> --
> Rik Wasmus

Rik,
Ive sent you an email to the hotmail address luihei...
just to help me clear up a few details. Thanks for the above details.

I should make it clear to anyone interested that the type of exploit
we're talking about does NOT involve saving php code with a jpg
extension and then calling it in a browser:

<?php system('echo hello > hello.htm'); ?>
saved as hello.jpg, and then called using
htpp://server.com/hello.jpg

now that wouldn't usualy work unless you've asked your server to parse
jpgs looking for php code, which is why its a bad idea in general.

The type of attack that usually DOES work on a windows box is to embed
php code inside the binary header of a jpg, usually using a tool to do
it. Even if the server is set up to only parse .php files, it will
still execute the embedded php code inside a jpg.
more info see:
http://milw0rm.com/video/watch.php?id=57

do no evil

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация