Through the Zend directory permissions are not strict get execute permissions-bug warning-the black bar safety net

ID MYHACK58:62201233913
Type myhack58
Reporter 佚名
Modified 2012-05-19T00:00:00


On the server a lot have installed Zend Even if C:\Program Files\ set permissions, install Zend, Zend will auto-configure directory permissions C:\Program Files\Zend\ZendOptimizer-3.3.0\ under the directory permissions for the Everyone full,which leads to the intruder can be written into the file. !

Ifa hackerinvasion of a server that only supports asp,or php,no execute permissions, the execution component is also to the disabled, only read and write file permissions(as long as the read and write permissions would be enough of). But C:\Program Files\Zend\ZendOptimizer-3.3.0\lib under ZendExtensionManager.dll file And this file is even loaded, but also through the"renaming"to be modified. !

And hackers just put this DLL into the hack of the DLL, will be loaded up! In testing it was found that if the direct transfer on the DLL, replace the DLL can not be Zend to load! Conversion ideas, the software should be load related DLLS and then view the associated interface! Zend load -> after replacing the dll(the file name with ZendExtensionManager.dll ) -> loading the Original DLL (this is the original file, The he changed to the name of the ZendExtensionManager. dll. log make your own load to him) Test successful load! www.2 ! And the user of the DLL can be a remote control, may be an execution module, which depends on imagination.

Topic on here, as to be able to do what we want!

(Respect for domestic law, does not provide the relevant test documents, only to provide ideas and solutions,please do not and I want to file, Thank you for your cooperation)

How to solve this problem ---------------------------------------------------------------------------------------- Please put C:\Program Files\Zend\ZendOptimizer-3.3.0\ under the Everyone permissions set to read-only, you can! Hopewebmastersthey all look to strengthen preventive

The author. d