Re: Site Hacked
- From: "Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx>
- Date: Tue, 5 Jun 2007 08:15:25 +0100
Andrea wrote on Mon, 4 Jun 2007 22:01:45 +0200:
what I say is that I don't see anything that could be related to my iusse!
Injection or overflow vulnerabilities could be used to cause code to run on
your server that you did not intend, so that covers a few of those fixes.
The 3rd fix on the list covers a way to override the register_globals
setting - this can be bad in that global variables can be overwritten using
querystring or post values.
However, while these are possibilities, I'd be more suspicious of the actual
PHP code you have on the server. I myself was subject to a file replacement
attack on my Debian/Apache2/PHP5 server recently due a flaw in phpBB2
combined with allowing remote file opening (where URLs could be opened as if
they were local files, which I was using to pull data from some other
servers) which allowed the attacker to load a remote file as local PHP code
which then let them overwrite the config.php file for PHP-Nuke on my server.
This is an application flaw, and no amount of security patches will stop
something like this - the fix was to correct the phpBB2 code so that it
didn't allow the path variable it was using to be overwritten from POST
data, and I dumped the blocks that grabbed remote data (they were only a
test anyway) and so was able to turn off the option in PHP to pull remote