Re: Hack attempt

From: Cedric Blancher (
Date: 07/24/04

  • Next message: Douglas Kong: "RE: Hack attempt"
    Date: Sat, 24 Jul 2004 08:54:50 +0200

    Le ven 23/07/2004 à 04:04, Alex Derkach a écrit :
    > Not really an exploit IMO. It is a feature in PHP which you should
    > disable if you don't use it. (Edit php.ini OR httpd.conf and add a
    > disable_functions directive).

    IMHO, if the exploit is quite simple, it points out strong issues
    regarding this webserver configuration :

    . Web application is poorly developped
            . technic shows user input direct usage and no validation
      This is a common web apps vulnerabilites. User input must never be
      trusted and must be validated in any case.

    . PHP is not configured properly :
            . technic shows fopen URL wrapper set to 1 (baaaad)
            . successful command execution shows safe_mode desactivated
      PHP Safe_mode allows one to put restriction on stuff like file
      including from scripts, command execution, uploading, etc.

    . Webserver host is poorly filtered
            . actions shows intruder is able to download stuff from the
              Internet, then probably bind a shell, launch eggdrop and so on
      The host should be restricted to the only connections it is supposed
      to receive and initiate, no more. This can prevent an intruder to
      perform a complete intrusion. In this case, a proper network filtering
      could have prevent the host from including distant URL...

    > You shouldn't be too worried, the 'hacker' can't get access to
    > anything that the web server user doesn't have access to, but don't
    > take any chances either. (a simple rm -rf can wipe you out and leave
    > you wishing you had backups)

    I disagree. Considering the fact there's a lot of kernel local root
    exploits around, there's not much to do to get root
    if server has strong availability restriction that could have refrain
    admin from upgrading kernel. Not mentionning vulnerable third party
    applications... Intruder actions have to get verified in order to
    validate the fact he couldn't get further priviledges.

    Anyway, to my mind, this webserver should be completely wiped away,
    reinstalled and reconfigured properly from a clean system base
    implementing strong restrictions for web apps and correct network
    connections filtering. Good start for PHP secure installation can be :


    There's a lot of paper on web apps security around.

    PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
    >> Hi! I'm your friendly neighbourhood signature virus.
    >> Copy me to your signature file and help me spread!

  • Next message: Douglas Kong: "RE: Hack attempt"

    Relevant Pages

    • Re: what www perl script is running?
      ... PHP web app. ... party web apps installed). ... performed by looking in my Apache logs. ... All it needs then is a bit of code on the server side which uses the ...
    • Re: Compiling PHP and/or any PHP Extension on VMS
      ... technology by managers who do not have a vision longer than next month is ... Some of those freely available PHP apps are very feature rich. ... "poor code quality => likely that there exists SQL injection ... web apps. ...
      ... >>I didn't say that PHP craps all over ASP.NET in every way. ... > PHP might have more functionality but .NET is geared towars Windows only as ... This is where it is futile trying to debate a language vs a framework. ... lot of people (who don't know much about modern web apps and XML/XSLT), ...
    • Re: Pascal Server Page
      ... desktop apps, but prefer PHP for web apps. ... varaiable interpolation in strings which makes code much ... in web apps, this is a very significant advantage. ...
    • Re: How do I insert a cgi script into Publisher page?
      ... As you were working out your PHP form, did you happen to run across this ... My host is and yes, ... I was told that they do not have a cgi form ... Though Publisher uses 'ISP' I think that may be confusing to some ...