Security-risk on gridscan.com

["Michael Metz [SpeedPartner]" <metz () speedpartner de>]

As reported by German ZDnet today (2002-05-24) in article
http://news.zdnet.de/story/0,,s2110809,00.html?020524165655 there is a new
"live search engine" under Gridscan.com. It only requires you to put a one-line
php-script from the Gridscan-homepage to your webserver, execute it once and
leave the script at this location. To unsubscribe from the search engine simply
delete the script. But the php-script-solution is a bit "risky": The php-script
you have to download contains only the row:

<? require("http://www.tobiaspreis.de/grid.php";); ?>

This way the administrator of tobiaspreis.de could easily modify his grid.php
to do almost anything on your webserver with full user rights of your php-
scripts. Also is the server tobiaspreis.de a good target for hackers because
this way they can gain access to a lot of large websites. In environments where
php-scripts run under the the customers identity instead of "nobody" this bears
a large security hole.

Further more the "live search"-technic can result in a high amount of cpu- and
harddisk-load. For a full explanation of the problems refer to the full comment
on this problem in German language at:

    http://www.speedpartner.de/presse/020524.pdf

By the way: Why doesn't it download from Gridscan.com but from a private
homepage?


Mit freundlichen Grüßen
 Michael Metz

****************************************************
SpeedPartner, Inh. Michael Metz
Neukirchener Str. 57, 41470 Neuss
Tel.: 02137 / 929 829, Fax: 02137 / 137 17
E-Mail: info () speedpartner de
****************************************************