Date:  Mon, 30 Jul 2007 22:41:00 +1000
From:  Greg Kuhnert <greg.kuhnert (at mark) theanchoragesylvania.com>
Subject:  [coba-e:10491] Re: Php script vulnerabilities
To:  coba-e (at mark) bluequartz.org
Message-Id:  <46ADDC5C.8040908 (at mark) theanchoragesylvania.com>
In-Reply-To:  <46AD5046.2090305 (at mark) theanchoragesylvania.com>
References:  <46AC07A4.7000106 (at mark) theanchoragesylvania.com> <634ejo$1cta4k (at mark) wnpgmb01-c600f.mts.net> <46AD5046.2090305 (at mark) theanchoragesylvania.com>
X-Mail-Count: 10491

Sorry to be the prophet of doom in the list - but this is starting to 
worry me.

I found an interesting post at 
http://www.ossec.net/wiki/index.php/WebAttacks_links that describes some 
of the attacks that are being attempted against hosts that run PHP. Note 
particularly the links in section 1.2, that show the actual code that 
has been found "in the wild" on compromised systems.

The attacks of course are dependent on one or more of your clients 
having some braindead php code in their web space .... It only takes one 
client to forget to upgrade an open source application to fix a 
vulnerability, and you will have people getting all sorts of information 
from your server

This information can in turn help them to know how to do a full 
compromise and take control of your host.

How can we protect ourselves? What is the common pattern here? It seems 
that any occurrence of "://" in a http query string is required for all 
of these attacks. What I would like to do (if it is possible) is to 
block this from being passed to ANY php script in the query string or 
POST variables etc.

Does anyone have any ideas on how to block this? I was thinking of 
something at the apache level - any ideas?

Regards,
Greg.





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.