I found out today how some site attacks have gotten through. They used "../" to traverse directories in my include files and find a file that, when loaded, would include the contents of thier User-Agent string. Then they put php code into their User-Agent string and re-visited the site with that specially corrupted query string and BAM! they were in.
The solution: sanitze the query string to exclude the double dot.
written like this:
\.\.
for regex matching.
That's one less open door!
Update: 2010-09-07:
For the attack above to work, the null byte had to be parsed. (all my includes had the extension concatenated to the end of the query string value. The null byte "%00" was used to make PHP ignore the concatenation.) In PHP4, magic_quotes_gpc would prevent this. In PHP5, magic_quotes_gpc is deprecated. Only sites using PHP5 were effected on my server.
No comments:
Post a Comment