[CentOS] Strange Apache log entry

Sat Aug 28 12:30:47 UTC 2010
Stephen Harris <lists at spuddy.org>

On Sat, Aug 28, 2010 at 12:08:49PM +0800, Emmanuel Noobadmin wrote:
> On 8/24/10, Keith Roberts <keith at karsites.net> wrote:
> > So bolting down PHP really tight should address these hacks?
> 
> As others have mentioned, this is trying to take advantage of a poorly
> written PHP script that doesn't sanitize/check the input before using.

In general it's not just PHP; it could be perl, script.. anything
eg this extremely bad and broken CGI program:

  % cat show-source.cgi
  #!/bin/sh
  #displays the source code for a page
  echo Content-Type: text/plain
  echo
  cat $QUERY_STRING

Now http://example/show-source.cgi?mypage/example/code.cgi
would show the source code to the CGI program.  Neat!

But http://example/show-source.cgi?../../../../../../../../etc/passwd
would show the password file.  Not so neat!

Whenever you see sequences like ../../.. in http logs then there's an
attempt against a CGI/php/mod-perl/whatever to attack poorly written
scripts.  You might sometimes see things like %2e%2e%2f%2e%2e instead
to try and circumvent poorly designed protections.

-- 

rgds
Stephen