News Service
05-16-2004, 08:03 AM
<div style="color: #000080; padding: 2px;">Important Security Issue</div><div style="font-size: .9em; margin-bottom: 12px; border-bottom: 1px solid #000080; padding: 2px; border-top: 1px solid #000080;">Sunday, May 16, 2004 by Kevin Stange (kevin [at] simgames [dot] net)</div><div style="font-size: 1em;">It has come to my attention through various channels that attackers have begun to target this (and certainly many other servers) to make use of an exploit of poorly coded PHP web sites. The exploit is simple. It makes use of a haphazardly used "include" call in your PHP scripts to execute arbitrary commands on the server, install applications to the /tmp directory, and abuse server resources without even having an account.
The problem is quite simply this:
If you have your site set up so that all the pages feed off a single PHP script, such as the following:
http://mysite.simgames.net/index.php?page=news
with this or similar PHP code: include "$page.php";
You are exposing this exploit to the world. You can make a simple change and prevent this problem completely!
Simply change the include line in your php script to this:
include "./$page.php";
This forces PHP to treat the value of $page as a local server path (./ represents the current directory), rather than a URL. If you do not do this, an attacker can use your account to include PHP code he has written on another web server and run it on our server. You need to do your part to close holes of these kind so we can avoid needing to run PHP in safe mode (which will break many of your scripts), and so we are not forced to suspend or terminate your hosting account due to damage to the server delivered through your account.
As hostees, security of our servers should be just as high a priority for you as it is for us. If you have any concerns or questions, or you believe your site may contain open security holes that could permit your account or scripts to be hijacked by attackers, please contact us and we'll do everything we can to help you. If you don't, you could put your hosting account, and possibly others at risk.
Thank you for your understanding.</div>
The problem is quite simply this:
If you have your site set up so that all the pages feed off a single PHP script, such as the following:
http://mysite.simgames.net/index.php?page=news
with this or similar PHP code: include "$page.php";
You are exposing this exploit to the world. You can make a simple change and prevent this problem completely!
Simply change the include line in your php script to this:
include "./$page.php";
This forces PHP to treat the value of $page as a local server path (./ represents the current directory), rather than a URL. If you do not do this, an attacker can use your account to include PHP code he has written on another web server and run it on our server. You need to do your part to close holes of these kind so we can avoid needing to run PHP in safe mode (which will break many of your scripts), and so we are not forced to suspend or terminate your hosting account due to damage to the server delivered through your account.
As hostees, security of our servers should be just as high a priority for you as it is for us. If you have any concerns or questions, or you believe your site may contain open security holes that could permit your account or scripts to be hijacked by attackers, please contact us and we'll do everything we can to help you. If you don't, you could put your hosting account, and possibly others at risk.
Thank you for your understanding.</div>