Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] PHP safe mode problems...
  • From: Bodo Kaelberer <BodoKaelberer@xxxxxxxxxx>
  • Date: Tue, 9 Dec 2003 19:26:17 +0100
  • Message-id: <988038853.20031209192617@xxxxxxxxxx>

> I got a defacing in my domains this weekend. They used and php shell
> to run some processes in the machine and replace all
> index.(html|shtml|php). They changed my users password too, and let
> a process in the /tmp dir running on port 80.

What do you call the use of a php-shell?

> The thing is, if I turn on PHP Safe Mode, webmail and applications
> stop working (includes and execs).

> There's some way to secure PHP and don't lose half of it's
> funcionality?

Get more secure scripts (-;

AFAIK there are just a few possibility to hack into a server by
calling a php-script. The most common way (in fact a design-error of
the developer) is, that a file to be included is passed as a parameter
and someone replaces this value with an url.

You have php-script named displaypage.php that gets the page to be
displayed as a parameter named "page".


If someone changed the parameter to something like:


the interpreter will load this file and will execute it as a
php-script. The attacker is able to do everything possible for
a php-script.
You might be using a software that is known to have such an backdoor.
I expirienced this once with phpnuke, a free portal-software written
in php, that had this error too. The successfull attack has been
published on a hackers-server in Argentinia that listed hundreds of
other sites hacked by the use of the same backdoor.

Whether the inclusion of remote files is allowed is defined by the
option 'allow_url_fopen'. You might want to check this.


1 Bodo Kaelberer
4 Politik ist, wenn viele sich streiten und keiner sich freut.

< Previous Next >