[CentOS] Strange Apache log entry
Stephen Harris
lists at spuddy.org
Sat Aug 28 12:30:47 UTC 2010
On Sat, Aug 28, 2010 at 12:08:49PM +0800, Emmanuel Noobadmin wrote:
> On 8/24/10, Keith Roberts <keith at karsites.net> wrote:
> > So bolting down PHP really tight should address these hacks?
>
> As others have mentioned, this is trying to take advantage of a poorly
> written PHP script that doesn't sanitize/check the input before using.
In general it's not just PHP; it could be perl, script.. anything
eg this extremely bad and broken CGI program:
% cat show-source.cgi
#!/bin/sh
#displays the source code for a page
echo Content-Type: text/plain
echo
cat $QUERY_STRING
Now http://example/show-source.cgi?mypage/example/code.cgi
would show the source code to the CGI program. Neat!
But http://example/show-source.cgi?../../../../../../../../etc/passwd
would show the password file. Not so neat!
Whenever you see sequences like ../../.. in http logs then there's an
attempt against a CGI/php/mod-perl/whatever to attack poorly written
scripts. You might sometimes see things like %2e%2e%2f%2e%2e instead
to try and circumvent poorly designed protections.
--
rgds
Stephen
More information about the CentOS
mailing list