[CentOS] Strange Apache log entry

Sun Aug 29 12:51:06 UTC 2010
Stephen Harris <lists at spuddy.org>

On Sun, Aug 29, 2010 at 12:45:53AM -0700, Gordon Messmer wrote:
> On 08/28/2010 05:30 AM, Stephen Harris wrote:
> > In general it's not just PHP; it could be perl, script.. anything
> > eg this extremely bad and broken CGI program:
> That's true, but /proc/environ isn't in a format that's valid for most 
> languages.  If a PHP script can be made to include /proc/environ, code 

There's nothing special about /proc/$$/environ.  All the variables in there
are already available to the process.  eg
  echo Content-Type: text/plain
shows everything in the environment

> can be injected by the caller.  For instance, their Agent string could 
> include PHP code which would end up executed.  Other languages may not 

If a shell script can be tricked into running (be badly written so that
it runs an) eval statement on a variable then code can be injected in
the same way.  A perl programming calling ` ` on an unchecked string,
a C program calling system() on unchecked string, a shell script
calling subshells...  In fact that's how early code injection worked.
If you see %60 or %3B in the query_string then it's a good chance of an
attempted code injection.

Badly written CGI programs are badly written CGI programs no matter
what language they're written in.  The exact nature of the exploit may
be different, but they all fall into a similar class - the programmer
****ed up.