Menu

#52 Code can be owned to "own" a site

Stable
open
None
9
2007-05-22
2007-05-21
Paul Oldham
No

I've just had my web site hacked by someone who used ./themes/test1.php to run arbitrary code on a remote server by passing "root" as a parameter in the URL pointing to a directory on the remote server.

Ol'Bookmarks relies on register_globals being On and that allows this hack to work.

This is a serious security issue and I'm still seeing requests on the server with a referrer header which suggest that someone is using Google to identify other Ol'Bookmarks servers to repeat the episode.

I strongly suggest everyone using Ol'Bookmarks take their servers offline or at least hide them from Google until this exploit is fixed!

Discussion

  • Cyril Bellot

    Cyril Bellot - 2007-05-22
    • milestone: --> Stable
    • priority: 5 --> 9
    • assigned_to: nobody --> jcpp
     
  • Cyril Bellot

    Cyril Bellot - 2007-05-22

    Logged In: YES
    user_id=123387
    Originator: NO

    You can set register_globals = OFF with olbookmarks since 0.7.4; by the way, OFF is the default for a while now.

    Having it set to ON is a major security risk, not only for olbookmarks but also for lots of web applications (that do not double check every provided variable)

     
  • yabb8

    yabb8 - 2007-07-18

    Logged In: YES
    user_id=1322570
    Originator: NO

    This sounds like a major security bug. Will you change the code accordingly? Not everybody can change the settings of register_globals on shared webspace.

     
  • Cyril Bellot

    Cyril Bellot - 2007-07-18

    Logged In: YES
    user_id=123387
    Originator: NO

    Code has been fixed in 0.7.5.

    register_globals is a very bad idea anyway and is considered as being completely removed in future versions of PHP.

     

Log in to post a comment.

Auth0 Logo