httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de>
Subject Re: [users@httpd] am i hacked ?
Date Mon, 06 Feb 2017 19:24:53 GMT


----- On Feb 6, 2017, at 8:22 PM, Bernd Lentes bernd.lentes@helmholtz-muenchen.de wrote:

>> OK. I think i understand most of it.
>> First the attacker sets some values appropriate for him. Then he tries to create
>> a file webconfig.txt.php and to write
>> <?php eval($_POST[1]);?> in it.
>> Fortunately wwwrun can't write in /sr/www ... , following
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html years ago.
>> If he could create the file, then he is able to sent arbitrary stuff to it which
>> is executed by eval.
>> 
>> Some things are still unclear for me:
>> 
>> What is the purpose of the two echos ?
>> Why has the request status code 200 ?
>> What is the purpose of the 1 direct behind the question mark ?
>> What is the 1 in the array $_POST ? Arrays start with index 0, i think (i'm not
>> a php developer).
>> 
> 
> The @ in front of the function calls silence the errors:
> http://stackoverflow.com/questions/27645422/what-difference-does-usage-of-symbol-with-ini-set-built-in-function-makes-in
> 

Beside keeping apache and the OS fresh, what do you think of mod_security and/or AppArmor
as an additional layer of security ?
I read that mod_security is quite complicated.


Bernd
 

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Heinrich Bassler, Dr. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message