On Sat, Aug 28, 2010 at 12:08:49PM +0800, Emmanuel Noobadmin wrote:
On 8/24/10, Keith Roberts keith@karsites.net wrote:
So bolting down PHP really tight should address these hacks?
As others have mentioned, this is trying to take advantage of a poorly written PHP script that doesn't sanitize/check the input before using.
In general it's not just PHP; it could be perl, script.. anything eg this extremely bad and broken CGI program:
% cat show-source.cgi #!/bin/sh #displays the source code for a page echo Content-Type: text/plain echo cat $QUERY_STRING
Now http://example/show-source.cgi?mypage/example/code.cgi would show the source code to the CGI program. Neat!
But http://example/show-source.cgi?../../../../../../../../etc/passwd would show the password file. Not so neat!
Whenever you see sequences like ../../.. in http logs then there's an attempt against a CGI/php/mod-perl/whatever to attack poorly written scripts. You might sometimes see things like %2e%2e%2f%2e%2e instead to try and circumvent poorly designed protections.