Was crawling on the Internet for the last day of 2011 and i saw someone trying to hack a wordpress website using the timthumb exploit.
Maybe you about it, maybe you don’t. Anyway, i’ll show you how to exploit the vuln
For of all you should find a wordpress using any theme having the timthumb.php Read the rest of this entry
PHP is prone to a security-bypass vulnerability.Successful exploits will allow an attacker to delete files from the root directory, which may aid in further attacks.
PHP 5.3.6 is vulnerable; other versions may also be affected.
Webmasters are advised to manually patch their PHP installations after a serious flaw allowing attackers to potentially delete files from their root directories was publicly disclosed.
The vulnerability lies in the « SAPI_POST_HANDLER_FUNC() » function in rfc1867.c and can be exploited to append forward or back slashes before the file name during an upload. This allows an attacker, for example, to delete files from the root directory or can be combined with other vulnerabilities to enhance attacks. The flaw is described as an input validation error and security bypass issue. Vulnerability research vendor Secunia rates it as « less critical. » A Polish web application developer named Krzysztof Kotowicz is credited with discovering and reporting the issue, but even though it was patched on June 12, details about the flaw have been available online since May 27.
The vulnerability, identified as CVE-2011-2202, affects PHP 5.3.6 and earlier versions. No new package has been released yet, but a patch can be grabbed from the repository and applied manually. The vulnerability does not require authentication, and has a partial impact on system integrity. System confidentiality are affected too.
It’s still unclear whether its access complexity should be low, as listed in an IBM XSS Force advisory, or high, as considered by the Red Hat security team.
Exploit found on pastebin.com
HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=———-ThIs_Is_tHe_bouNdaRY_$
content-length: 200
————ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name= »contents »; filename= »/anything.here.slash-will-pass »;
Content-Type: text/plain
any
————ThIs_Is_tHe_bouNdaRY_$–
HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html
/anything.here.slash-will-pass
PHP script:
=====
if (!empty($_FILES['contents'])) { // process file upload
echo $_FILES['contents']['name'];
unlink($_FILES['contents']['tmp_name']);
}
Time for me to write an article after the awesome post from luc about php.net hack rumors.
I’ll give you here some tips i used a loooong time ago. I used it to gather a maximum of fresh new content and backlinks. Let’s brain a little bit here.
It’s more a psychological trap for SEO admin checking stats x20 /day :) Read the rest of this entry
In most network applications, managing incoming flow is an important thing, and is a quite hard thing to set up. In case your algorithm is too restrictive, you will drop too much connection, and in case it’s too permissive, you will accept undesired connections. The real need is to tell your application: « Accept N connection(s) in a X second(s) time range ».
The way you should decide if a connection have to be dropped or not is looking in an historic of X second(s) how many connection(s) from an IP have been performed, and then deducing the count. This is the « simple » algorithm that does that:
Last posts