|
Posted by Jerry Stuckle on 02/23/07 21:28
shimmyshack wrote:
> On 23 Feb, 11:15, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Steve wrote:
>>> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>>> news:op.tn6pvcviqnv3q9@misant...
>>> | Steve <no....@example.com> wrote:
>>> | > find a server that parses all documents via php instead of by extension,
>>> | > ....
>>> | >
>>> | > it's not hard to hack any site...it just takes a bit of knowledge and
>>> | > some desire.
>>> |
>>> | And in this case, both an insane webserver setting and a either no or a
>>> | bogus check on files after upload... Usually it would be much, much
>>> harder.
>>> true. however sadly, *most* web servers (apache anyway) out there at least
>>> parse all documents through php even if the extension is different...things
>> Do you have proof of this statement? I find just the opposite - very
>> few servers parse non-html files through PHP - and most of those who do
>> change when told about the security implications.
>>
>>> like .css or .jpg, or what have you. this is the critical part. as long as
>>> this is the configuration, you can find *many* ways to get your script onto
>>> their server. and you will have enough authorization to access any system
>>> directory that php has access to...even those not in the web root.
>>> this is not just a php issue, asp and others have the same problem. people
>>> are not ever as aware as they should be when it comes to security. myself
>>> included.
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> This is the only statement in my httpd.conf:
>
> AddType application/x-httpd-php .php
>
> and yet the attack works.
> The server doesnt have to be set up to parse every doc for php, that
> was an assumption.
> Has anyone here tried it on their server?
>
The attack doesn't work either on my test system or any of my live
systems, either. Files containing PHP code which do not have the .php
extension are not parsed.
And where uploads are possible, files with a .php extension are not
allowed. So they're safe.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|