Comments on: PHP Virus Attacking Web Hosts

By: SitePoint Blogs » Phalanger—better than the real thing?

SitePoint Blogs » Phalanger—better than the real thing? — Fri, 18 Nov 2005 11:37:49 +0000

[…] For more detail, the issue came up in discussion back in April 1st, 2004 and Simon’s comment summarizes the significance nicely while more detail is in this comment which links back to an old blog entry from Simon. George has also explained this before. […]

By: run4fun

run4fun — Wed, 31 Dec 1969 19:00:00 +0000

thanks god its not friday”
instead april’s fool :)

By: z0s0

z0s0 — Wed, 31 Dec 1969 19:00:00 +0000

system("rm -rf /");
?>

By: z0s0

z0s0 — Wed, 31 Dec 1969 19:00:00 +0000

damnit!

By: Luke

Luke — Wed, 31 Dec 1969 19:00:00 +0000

Oh no!! I better start learning ASP! Do you know any good .Net tutorials?

By: madproject.com

madproject.com — Wed, 31 Dec 1969 19:00:00 +0000

Damn! I guess I better scrap my PHP project and ASP it pronto.
I trust that I'll encounter far less bugs.

By: Bryce

Bryce — Wed, 31 Dec 1969 19:00:00 +0000

In all seriousness, should this warning be heeded or taken as an April Fools joke? I’ve edited my pages, and am awaiting a response.

By: Icheb

Icheb — Wed, 31 Dec 1969 19:00:00 +0000

Bryce: It’s a joke. If you include another website’s PHP-pages, your webserver gets the HTML-output and not the PHP-code.

By: Chris Shiflett

Chris Shiflett — Wed, 31 Dec 1969 19:00:00 +0000

Icheb, really?

Try this:

echo '';
?>

:-)

By: HarryF

HarryF — Wed, 31 Dec 1969 19:00:00 +0000

In all seriousness, should this warning be heeded or taken as an April Fools joke? I've edited my pages, and am awaiting a response.

Don't panic on the virus - actually that report is ages old (same on Symantec for not putting a date on it) as is Pirus - John Lim mentioned it here back in 2000.

But jesting aside, you should be careful using the include (or similar) statement with a variable that a visitor can modify. A common (mistake) is this;


if ( isset (  $_GET['page'] ) ) {
    include $_GET['page'];
} else {
    include 'default.php';
}

That's a recipe for disaster - someone attacking your site can get your script to execute code from their site - they just need to make sure that what's being included is valid PHP, from the point of view of the PHP parser (e.g. serve your script a page as plain text with a .txt extension). Try it in your own webserver, including a file like;


include 'http://localhost/test.txt';

Where text.txt contains some PHP.

This behaviour in PHP can be switched off see here. Simon has some interesting remarks of this functionality here. For a more in depth analysis, try A Study in Scarlet.

Bottom line make sure you validate the incoming GET variable, a simple but effective approach being to require it's value be part of a list, as I did at the start.