I'm working with a company doing internet intrusion detection and there is an exploit
known in PHP that I am trying to detect.
See http://www.securiteam.com/windowsntfocus/5ZP030U60U.html for details about it.
Basically if someone does something like
"http://www.example.com/php/php.exe?d:\winnt\repair\secret.txt"; then they'll get back
the specified file (when Apache has the exploit present). Now I'm not a
Windows/Apache/PHP
guy but I do use it in Linux. I know its bad form to have php.exe in your links so my
detection idea is to look for that in the request and alert on its presence. My
question is,
is this common usage for Windows deployments? I don't want a lot of false positive
alerts resulting from this. Optionally, I might consider also testing for the presence
of an
absolute file location in addition to the php.exe or maybe a link that specifies a
file extension that isn't common like php3/4,.htm?, etc... I'm posting this here to
get some
feedback from Windows/Apache/PHP people and see what you all think about this idea.
Please send me any concerns/ideas you might have about this.
thanx & later,
Ben Scherrey
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
