This is my first post, so be kind! Basically, I'm trying to get a free host together so am writing some posts. Here's a little summin' summin' about malicious code injection with PHP applications.
Basically, this security exploit is one of the oldest tricks in the books and all comes down to the fact that PHP allows execution of both local and remote scripts with the SAME function... dur. Anyway, this is how it works. Image you've just employed a young go getter, straight outta uni, who has found becoming a Jack of all trades a sinch. You place him on web site design duty and after flicking through a PHP manual is on his way. Thinking it a good idea to keep separate database connection scripts, headers and whatnot, they may have something along the lines of this...
include($_GET['page'] . ".php");
This line of PHP code, is then used in URLs like the following example:
Because the $page variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example:
This then makes the include function call and execute a remote script from the nosey_bastard domain, which could do all sorts of nasty, even delete the entire content of the website.
You have been warned!
Anybody who first of all puts a user modifiable variable into anything that isn't being parsed out, and then puts a pointless delete_all.php page in the same directory deserves to have their website removed. That is just plain stupidity.
That's also called RFI, Remote File Inclusion, if the vuln let you load a remote page or LFI, Local File Inclusion, if the vuln let you load a page on the same server.It was a quite common vulnerability some time ago.