Re: Remote File Include Vulns (Are you testing for it, are you teaching it)

From: Gareth Davies (gareth.davies@mynetsec.com)
Date: Tue Oct 17 2006 - 00:47:35 EDT

• Next message: Tonnerre Lombard: "RE: unswitched behavior of a switched network..."
• Previous message: David Swafford: "Re: unswitched behavior of a switched network..."
• In reply to: Joseph McCray: "Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Joseph McCray wrote:
> I've been spending a lot of time googling these php shells (c99/r57 et
> al) lately. It appears that people are getting these on servers via
> Remote File Include vulnerabilities.
>
> I'm curious how many auditors are 1) testing for this stuff in your
> audits. Tons of blog, forum, and wiki packages have these vulns - are
> you guys testing for this stuff, and more importantly are you finding it
> vuln in your audits?
>
> Next question is for trainers, how much time are you spending on this
> stuff in your web application security classes. Currently I'm spending a
> hefty chunk of time on the big guns (SQL Injection, Cross-Site
> Scripting, etc). I know these are the usual suspects, but when I get out
> there on the Internet and google for any of these php shells I never get
> past the first search page without finding a compromised server. If you
> check out milw0rm, packetstormsecurity, etc most of the web app vulns
> are remote file includes. Is anyone else noticing this, and what are
> your thoughts?
>
Hi Joseph,

Not sure if you saw this:

http://www.darknet.org.uk/2006/09/fis-file-inclusion-scanner-v01-php-vulnerability/

Might be something to consider.

Like another posted said though not many commercial audits I do involve
PHP, it is worth mentioning this in training though as it seems awfully
common nowadays.

Cheers

-- 
Gareth Davies - ISO 27001 LA, OPST
Manager - Security Practice
Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia 
Phone: +603-6203 5303 or +603-6203 5920
www.mynetsec.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Tonnerre Lombard: "RE: unswitched behavior of a switched network..."
• Previous message: David Swafford: "Re: unswitched behavior of a switched network..."
• In reply to: Joseph McCray: "Remote File Include Vulns (Are you testing for it, are you teaching it)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT