On 2020-10-21 06:17, Wietse Venema wrote:
> If any of those got a 200 HHTP response then you have been owned.
Acknowledged. In this case, though, I honestly don't think so. Let me
explain why.
My server IS NOT RUNNING THINKPHP OR WORDPRESS. Never has.
The PHP site in question here was not built using WordPress, ThinkPHP,
or any other framework or toolkit. And the /index.php file for the site
does not expect, and isn't written to process, command-line parameters
such as "s", "a", "content", "function", or "vars".
Apache would, to be sure, return a 200 HTTP status code for these
queries, but I think all that means is that the /index.php file was
found. However, the PHP code in the /index.php file (plus the functions
in the other PHP files on the site invoked from /index.php) isn't
expecting any of the above command-line parameters and, as best I can
tell, should simply be ignoring them.
Unless there's something in raw PHP (not using any frameworks) that
recognizes and acts on these or other parameters outside the context of
whatever the raw PHP code in question is doing, nothing untoward should
happen, right?
Please feel free to try attacking the site in question for yourself,
adding any parameters you like to the URL, and let me know, and I'll go
check the site and confirm if I saw anything strange.
https://www.marywalesloomis.com
The only command-line parameter which this web site is supposed to
recognize and do anything with is a "page=" parameter. Everything else
on the command line / URL should be disregarded.
Rich Wales
ri...@richw.org
