Home
Monday, May 29, 2017
4:41:20 AM
Users online: 0   You are here >> Home > Programming

Forums | Programming Forums search
Forum FAQ
   
  1  
Personal Daily WTF
Invention 
13/8/08 1:47:50 PM
Primarch

We were recently the subject of an attack from some hackers, who were using a rootkit and some vulnerabilities in our software to set up IRC bots etc. Whilst investigating how they did it I came across the following (seemingly innocuous right ?) "fix" that my colleague had added to one of the sites in question:

 
while(list($index, $value) = each ($_REQUEST))
{
$$index = $value;
}


0_o

-----

Girvo 
13/8/08 2:42:08 PM
Immortal

............what does that even DO. :|

-----
Quote by Disco
Edit: I got my own age wrong? o_0



Invention 
13/8/08 3:17:30 PM
Primarch

It takes any parameter passed to the script via $_POST or $_GET and automatically assigns it to a named variable. There are two things wrong with it:

1. It accomplishes exactly the same function as turning the REGISTER_GLOBALS directive on in your config.
2. It creates an enormous security hole, which is the reason REGISTER_GLOBALS was defaulted to off, and eventually removed from subsequent PHP versions.

-----

Girvo 
13/8/08 7:47:04 PM
Immortal

I figured as much once I'd read it after a coffee.




*facekeyboards

-----
Quote by Disco
Edit: I got my own age wrong? o_0



Slace 
13/8/08 8:02:17 PM
Hero
Titan


Haha nice. I'm getting plenty of facepalm moments at the moment, I'm heading up a dev team running out of our China office, the number of times code has come in and I've just groaned is more than I'd like :/

-----

Why can't a programmer tell the difference between Halloween and Christmas? 
Because OCT31 = DEC25


What's playing? http://www.last.fm/user/slace/

zephyr 
13/8/08 9:25:25 PM
Hero
Titan


that's rofltastic :-)

-----
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in. We're computer professionals. We cause accidents. (N. Borenstein)

eckythump 
15/8/08 3:05:56 AM
Overlord

Oh dear.

I remember doing something similar about 10 years ago with a quick CGI I wrote in bourne shell. It was something like:
#!/bin/sh 

args=`echo $QUERY_STRING |sed 's/\&/ /g'`
for i in $args
do
export cgi_$i
done

# Do other stuff ...
It did the job and I wasn't particularly worried about any malicious people being able to do anything nasty (though I am curious as to how nasty one could get with that.)

But when you've got perl/python/php, there's no excuse for such nasty code. You should know the variables you're going to be using and jsut call them directly with $cgi->param("varname") or whatever equiv for your script language of choice.

Other bad coding practice I've seen a few times over the years was for email submission forms where the recipient email address is defined in a <input type="hidden" name="email" value="exploit@me.spammers">

At one stage I had a fake contact page with such a hidden field and a cgi at the back that checked to see if the provided email address was different to that. If it was, it'd firewall the source IP address. You'd be amazed how quickly you'd reach 10,000 firewall rules for those block.s

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

  1  
Forums | Programming