Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > HTML > Virtual Server vulnerability through URL parameters?

Reply
Thread Tools

Virtual Server vulnerability through URL parameters?

 
 
Bernhard Sturm
Guest
Posts: n/a
 
      01-06-2005
Hi Group
I don't know if it's the right place to ask, but I'll try it:

I have set up a site using PHP includes for the content parts of a page:

I have one index.php that uses different includes for menu, navigation,
footer and header. the content is included through this part of the code:

<div id="middle" align="left">
<?php // content einbinden
include($content);
?>
<br />
</div>

via URL parameter content the content is fed to the index.php. Like this:
http://cellntec/sandbox/index.php?co...tact/index.php

Where the content is kept in content/index.php e.g.:

<p>Using novel progenitor cell-targeted isolation techniques and culture
media, xxxx
Advanced Cell Systems has developed a range of epithelial in vitro
systems with
a striking suite of features. These include</p>

now my host has shut down the site because he says that this will put a
threat to all his virtual servers on the same server... I have no clue
(and maybe my PHP knowledge is too limited...) Is there a known exploit
for URL parameters?

thanks for any reply


bernhard
--
www.daszeichen.ch
remove nixspam to reply

 
Reply With Quote
 
 
 
 
rf
Guest
Posts: n/a
 
      01-06-2005
"Bernhard Sturm" <(E-Mail Removed)> wrote

> Hi Group
> I don't know if it's the right place to ask, but I'll try it:


Probably not, especially since you multiposted exactly the same thing over
in alt.php, where the subject *is* on topic.

Where do you want your answer?

--
Cheers
Richard.


 
Reply With Quote
 
 
 
 
Bernhard Sturm
Guest
Posts: n/a
 
      01-06-2005


On 1/6/2005 2:59 PM rf spoke thusly
> "Bernhard Sturm" <(E-Mail Removed)> wrote
>
>
>>Hi Group
>>I don't know if it's the right place to ask, but I'll try it:

>
>
> Probably not, especially since you multiposted exactly the same thing over
> in alt.php, where the subject *is* on topic.


i posted it first here... and later in alt.php. as it is a server
related issue I am not even sure, if it fits into alt.php... so I hoped
that someone here had the same problem before (as I am more in alt.html
than alt.php)... yeah I know lame excuse, but since I asked, I hoped for
an answer.

>
> Where do you want your answer?


anywhere
multiposting is not allowed in NG? (I did not cross-post).

bernhard
--
www.daszeichen.ch
remove nixspam to reply

 
Reply With Quote
 
rf
Guest
Posts: n/a
 
      01-06-2005
"Bernhard Sturm" <(E-Mail Removed)> wrote

> On 1/6/2005 2:59 PM rf spoke thusly
> > "Bernhard Sturm" <(E-Mail Removed)> wrote
> >
> >>Hi Group
> >>I don't know if it's the right place to ask, but I'll try it:

> >
> >
> > Probably not, especially since you multiposted exactly the same thing

over
> > in alt.php, where the subject *is* on topic.

>
> i posted it first here... and later in alt.php. as it is a server
> related issue I am not even sure, if it fits into alt.php... so I hoped
> that someone here had the same problem before (as I am more in alt.html
> than alt.php)... yeah I know lame excuse, but since I asked, I hoped for
> an answer.


Hmmm. A group dealing with hosting stuff may be better. alt.www.webmaster?
One of the comp hieratchy?

> > Where do you want your answer?

>
> anywhere


OK, from an HTML point of view there is no answer as it is not an HTML
issue. HTML is client side, not server side.

That said, nothing, repeat, nothing that comes from client side should be
used in PHP without first being sanity tested. This is to stop "insertion"
of bad things. For example, if you have a database that accepts a query
string from client side then the user can terminate that query string with a
' and follow it with some SQL to delete your entire database. You have to
check for this.

Your case is a bit milder but what, for example, if I were to plug in
"content="../../../../whatever". I just might get to the root of you hosts
server, if said host has not set up the server correctly, and access the
password file.

Why this should be an issue is really strange, assuming your host has the
server set up correctly. However, your host has made a statement so either
fix it or, preferably, get a better host.

Of course you will probably get much better answers over at alt.php.

> multiposting is not allowed in NG? (I did not cross-post).


Crossposting to appropriate newsgroups is recommended. Multiposting is
frowned upon, it splits the conversation into two or more disparate groups.
Those who work hard on an answer here may find that the same answer has
already been posted elsewhere. With crossposting everybody sees all the
answers in all groups.

--
Cheers
Richard.


 
Reply With Quote
 
SpaceGirl
Guest
Posts: n/a
 
      01-06-2005
rf wrote:
> "Bernhard Sturm" <(E-Mail Removed)> wrote
>
>
>>On 1/6/2005 2:59 PM rf spoke thusly
>>
>>>"Bernhard Sturm" <(E-Mail Removed)> wrote
>>>
>>>
>>>>Hi Group
>>>>I don't know if it's the right place to ask, but I'll try it:
>>>
>>>
>>>Probably not, especially since you multiposted exactly the same thing

>
> over
>
>>>in alt.php, where the subject *is* on topic.

>>
>>i posted it first here... and later in alt.php. as it is a server
>>related issue I am not even sure, if it fits into alt.php... so I hoped
>>that someone here had the same problem before (as I am more in alt.html
>>than alt.php)... yeah I know lame excuse, but since I asked, I hoped for
>>an answer.

>
>
> Hmmm. A group dealing with hosting stuff may be better. alt.www.webmaster?
> One of the comp hieratchy?
>
>
>>>Where do you want your answer?

>>
>>anywhere

>
>
> OK, from an HTML point of view there is no answer as it is not an HTML
> issue. HTML is client side, not server side.


Not truuuueeeeeee....

XHTML also has server side implications, especially if you are doing a
lot of translations (XSLT). It may only be DISPLAYED client site, but
that doesn't mean it's only processed client side

--


x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
 
Reply With Quote
 
Bernhard Sturm
Guest
Posts: n/a
 
      01-06-2005


On 1/6/2005 3:26 PM rf spoke thusly
> "Bernhard Sturm" <(E-Mail Removed)> wrote
>
>
>>On 1/6/2005 2:59 PM rf spoke thusly
>>
>>>"Bernhard Sturm" <(E-Mail Removed)> wrote
>>>
>>>
>>>>Hi Group
>>>>I don't know if it's the right place to ask, but I'll try it:
>>>
>>>
>>>Probably not, especially since you multiposted exactly the same thing

>>

> over
>
>>>in alt.php, where the subject *is* on topic.

>>
>>i posted it first here... and later in alt.php. as it is a server
>>related issue I am not even sure, if it fits into alt.php... so I hoped
>>that someone here had the same problem before (as I am more in alt.html
>>than alt.php)... yeah I know lame excuse, but since I asked, I hoped for
>>an answer.

>
>
> Hmmm. A group dealing with hosting stuff may be better. alt.www.webmaster?
> One of the comp hieratchy?
>
>
>>>Where do you want your answer?

>>
>>anywhere

>
>
> OK, from an HTML point of view there is no answer as it is not an HTML
> issue. HTML is client side, not server side.


okay.. i have found an answer.. it's a pretty serious issue as it deals
with a known vulnerability of include() published recently in the german
c't magazin... since it's not of interest here I will post the answer in
alt.php...

cheers for your help

> Crossposting to appropriate newsgroups is recommended. Multiposting is
> frowned upon, it splits the conversation into two or more disparate groups.
> Those who work hard on an answer here may find that the same answer has
> already been posted elsewhere. With crossposting everybody sees all the
> answers in all groups.


okay.. thanks.. I always thought cross-posting was frowned upon (I did
it once, and got flamed...)


bernhard
--
www.daszeichen.ch
remove nixspam to reply

 
Reply With Quote
 
Neal
Guest
Posts: n/a
 
      01-06-2005
Bernhard Sturm <(E-Mail Removed)> wrote:


> okay.. thanks.. I always thought cross-posting was frowned upon (I
> did it once, and got flamed...)


Crossposting is annoying when the post is not on topic for all
newsgroups. That may be what happened.

Better to choose only one group, but if it really is on topic for
both, crosspost.
 
Reply With Quote
 
Bernhard Sturm
Guest
Posts: n/a
 
      01-06-2005


On 1/6/2005 3:54 PM Neal spoke thusly
> Bernhard Sturm <(E-Mail Removed)> wrote:
>
>
>> okay.. thanks.. I always thought cross-posting was frowned upon (I did
>> it once, and got flamed...)

>
>
> Crossposting is annoying when the post is not on topic for all
> newsgroups. That may be what happened.
>
> Better to choose only one group, but if it really is on topic for both,
> crosspost.


so it was okay not to crosspost in this case, as I was really not sure,
if it's of concern for alt.html. And it turned out, that my multipost
was frowned upon, but the crosspost would have been as well.. sigh..
it's hard to post these days.. but anyway I was able to find a solution
to my problem..

bernhard
--
www.daszeichen.ch
remove nixspam to reply

 
Reply With Quote
 
Jeffrey Silverman
Guest
Posts: n/a
 
      01-06-2005
On Thu, 06 Jan 2005 14:50:07 +0100, Bernhard Sturm wrote:

> Hi Group
> I don't know if it's the right place to ask, but I'll try it:
>
> I have set up a site using PHP includes for the content parts of a page:
>
> I have one index.php that uses different includes for menu, navigation,
> footer and header. the content is included through this part of the code:
>
> <div id="middle" align="left">
> <?php // content einbinden
> include($content);
> ?>
> <br />
> </div>
>
> via URL parameter content the content is fed to the index.php. Like this:
> http://cellntec/sandbox/index.php?co...tact/index.php
>
> Where the content is kept in content/index.php e.g.:
>
> <p>Using novel progenitor cell-targeted isolation techniques and culture
> media, xxxx
> Advanced Cell Systems has developed a range of epithelial in vitro
> systems with
> a striking suite of features. These include</p>
>
> now my host has shut down the site because he says that this will put a
> threat to all his virtual servers on the same server... I have no clue
> (and maybe my PHP knowledge is too limited...) Is there a known exploit
> for URL parameters?
>
> thanks for any reply
>
>
> bernhard



I don't think there is an exploit, per se, for URL parameters. But what
you are trying looks dangerous! At the very least, sanitize the code with
some checking of the variable before you include() it!

if (is_file($content)){
include($content);
}

I am probably missing something important but this is a start at least.

--
Jeffrey D. Silverman | http://www.velocityreviews.com/forums/(E-Mail Removed)
Website | http://www.newtnotes.com

Drop "PANTS" to reply by email

 
Reply With Quote
 
Bernhard Sturm
Guest
Posts: n/a
 
      01-06-2005


On 1/6/2005 4:24 PM Jeffrey Silverman spoke thusly
> On Thu, 06 Jan 2005 14:50:07 +0100, Bernhard Sturm wrote:
>
>
>>Hi Group
>>I don't know if it's the right place to ask, but I'll try it:
>>
>>I have set up a site using PHP includes for the content parts of a page:
>>
>>I have one index.php that uses different includes for menu, navigation,
>>footer and header. the content is included through this part of the code:
>>
>><div id="middle" align="left">
>> <?php // content einbinden
>> include($content);
>> ?>
>> <br />
>></div>
>>
>>via URL parameter content the content is fed to the index.php. Like this:
>>http://cellntec/sandbox/index.php?co...tact/index.php
>>
>>Where the content is kept in content/index.php e.g.:
>>
>><p>Using novel progenitor cell-targeted isolation techniques and culture
>>media, xxxx
>>Advanced Cell Systems has developed a range of epithelial in vitro
>>systems with
>>a striking suite of features. These include</p>
>>
>>now my host has shut down the site because he says that this will put a
>>threat to all his virtual servers on the same server... I have no clue
>>(and maybe my PHP knowledge is too limited...) Is there a known exploit
>>for URL parameters?
>>
>>thanks for any reply
>>
>>
>>bernhard

>
>
> I don't think there is an exploit, per se, for URL parameters. But what
> you are trying looks dangerous! At the very least, sanitize the code with
> some checking of the variable before you include() it!
>
> if (is_file($content)){
> include($content);
> }
>
> I am probably missing something important but this is a start at least.


you are right. is_file would be one solution. I have choosen the
solution to ensure, that only files within a certain directory hierarchy
are allowed to be processed by the script. so no '../../etc/passwd' can
be read ou (which would still be possible with is_file...) but anyway,
it's OT here.


bernhard
--
www.daszeichen.ch
remove nixspam to reply

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
virtual pc or virtual server keith chilton MCSA 8 07-13-2007 01:04 PM
Virtual PC and Virtual Server =?Utf-8?B?Qm9iIEs=?= Windows 64bit 2 01-02-2006 05:39 PM
V1.1 Virtual Folder when V2.0 installed for the virtual server? Jéjé ASP .Net 2 11-30-2005 05:44 PM
URL - substitution of a correct URL by a GUID like URL in favorites. Just D. ASP .Net Mobile 0 08-11-2004 04:26 PM
redirect URL's, return URL's, and URL Parameters Jon paugh ASP .Net 1 07-10-2004 05:29 AM



Advertisments