Article 10494 at 07/07/31 02:08:15 From: dmobley (at mark) uhostme.com Subject: [coba-e:10494] Re: Php script vulnerabilities

Index: [Article Count Order] [Thread]
Date:  Mon, 30 Jul 2007 13:07:51 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:10494] Re: Php script vulnerabilities
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <007201c7d2cc$2a804840$6400a8c0@HPPAVILION>
In-Reply-To:  <634ejo$1d1br6 (at mark) wnpgmb01-c600f.mts.net>
References:  <46AC07A4.7000106 (at mark) theanchoragesylvania.com> <634ejo$1cta4k (at mark) wnpgmb01-c600f.mts.net> <46AD5046.2090305 (at mark) theanchoragesylvania.com> <46ADDC5C.8040908 (at mark) theanchoragesylvania.com> <634ejo$1d1br6 (at mark) wnpgmb01-c600f.mts.net>
X-Mail-Count: 10494

In my experience, the largest contributor to vulnerable systems are the
very, very widespread use of open source software packages such as CMS
systems where the hacker is exploiting an injection point to run a remotely
supplied shellbot program.  Once the entry point to inject a shellbot is
known to exist in an open source application, it's just a matter of slinging
a URL script at known directory pathing schemes at the world's web servers
looking for a hit.

This does not take away from the legitimacy of your post regarding exploits
that do not use a remote URL as an include path, but the information Greg
posted about represents about 99% of the exploits hitting our web servers.
A hacker, unless he really has it in for you in particular, isn't going to
hack and hack against your PHP application looking for unknown $_GET
variable entry points, not when he can spend a much more "productive" day
slinging URL scripts at known vulnerabilities Greg was referring to.

I would welcome an Apache method for blocking those types of exploits, as I
monitor Logwatch reports every morning and see entry after entry after entry
of the attempts mentioned.

> -----Original Message-----
> From: Brent Epp [mailto:brent (at mark) pdcweb.net]
> Sent: Monday, July 30, 2007 10:54 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:10493] Re: Php script vulnerabilities
> 
> While this will help, the occurrence of '://' being the ultimate
> exploit is not necessarily the case.  An injection attack can still
> be very effective by exploiting any user variable ($_GET or $_POST)
> that hasn't been validated properly.
> 
> eg.:
> 
> <?php
> shell_exec('ls ' . $_GET['pictures_match'] . '.jpg');
> ?>
> 
> $_GET['pictures_match'] could be: '*; rm -rf /; ls *';  This is, of
> course, the obligatory "delete all your files" example.  Claerly, you
> can see why this is bad where a user variable does not contain any
> sort of URL.  And, obviously, an attacker would have to know your
> application, but that's not too far fetched if these are open source
> apps we're talking about.
> 
>   - Brent
> 
> At 2007-07-30 07:41, you wrote:
> >How can we protect ourselves? What is the common pattern here? It
> >seems that any occurrence of "://" in a http query string is
> >required for all of these attacks. What I would like to do (if it is
> >possible) is to block this from being passed to ANY php script in
> >the query string or POST variables etc.
> 
> 
> Brent Epp
> mailto:brent (at mark) pdcweb.net