On Sun, Aug 29, 2010 at 12:45:53AM -0700, Gordon Messmer wrote:
On 08/28/2010 05:30 AM, Stephen Harris wrote:
In general it's not just PHP; it could be perl, script.. anything eg this extremely bad and broken CGI program:
That's true, but /proc/environ isn't in a format that's valid for most languages. If a PHP script can be made to include /proc/environ, code
There's nothing special about /proc/$$/environ. All the variables in there are already available to the process. eg #!/bin/sh echo Content-Type: text/plain echo env shows everything in the environment
can be injected by the caller. For instance, their Agent string could include PHP code which would end up executed. Other languages may not
If a shell script can be tricked into running (be badly written so that it runs an) eval statement on a variable then code can be injected in the same way. A perl programming calling ` ` on an unchecked string, a C program calling system() on unchecked string, a shell script calling subshells... In fact that's how early code injection worked. If you see %60 or %3B in the query_string then it's a good chance of an attempted code injection.
Badly written CGI programs are badly written CGI programs no matter what language they're written in. The exact nature of the exploit may be different, but they all fall into a similar class - the programmer ****ed up.