A fun one: <?php echo `uname -a `; ?>
Output:
Linux fuel.bravegamer.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux
Only "security" is this array of items which are regexed out of whatever you submit (and as you pointed out, completely fail to even prevent those functions from being called.
Explored a bit and sent the guy an email at the whois address of another domain that seems in his possession. The email address in scripterous.com seems broken. root@localhost doesn't seem to get read.
Hi,
Your site scripterous.com is a security leak for your server. I was able to kill web server processes, investigate your server, and generally do things I shouldn't be able to do. A denial of service attack would be easy by constantly killing the web server and if there was a local root exploit (which I didn't look for) I could have executed that as well.
I wanted to send an email to the root account on the server, but it doesn't seem to get read.
You can view a bit more of the discussion on the security implications at http://news.ycombinator.com/item?id=827500 (Despite the name and the subject we're discussing, that site is normally not about this kind of hacking.)
Your site is an interesting concept and it would definitely be interesting to have it around. Nonetheless I fear that the concept of the site is the cause of the security leaks. I'm not a security expert, but it is my opinion that it's not possible to make a site like this secure, without reimplementing PHP.
Best regards,
[Real name omitted, because I don't want this nick name to show up when people search my real name.]
Well, that is what I get for uploading and old project without taking in some consideration on it. Thank you to lucumo for the head's up on this and the rest of your for your exploits. Things should be a bit more secure now.
18 comments
[ 3.0 ms ] story [ 53.5 ms ] thread<?php echo `echo 'hello' | mail -s Hello darth.vader@yahright.com`; ?>
A fun one: <?php echo `uname -a `; ?> Output: Linux fuel.bravegamer.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux
$replace = array('<?php', '?>', '<?', 'mkdir', 'eval', 'exec', 'copy', 'move', 'curl', 'passthru', 'system', 'popen', 'proc_close', 'proc_open', 'proc_ terminate', 'proc_nice', 'shell', 'dl');
Not in safe-mode, also running eaccelerator. It will be cracked within a week, I am sure.
../tmp/ is writeable.
Hi,
Your site scripterous.com is a security leak for your server. I was able to kill web server processes, investigate your server, and generally do things I shouldn't be able to do. A denial of service attack would be easy by constantly killing the web server and if there was a local root exploit (which I didn't look for) I could have executed that as well.
I wanted to send an email to the root account on the server, but it doesn't seem to get read.
You can view a bit more of the discussion on the security implications at http://news.ycombinator.com/item?id=827500 (Despite the name and the subject we're discussing, that site is normally not about this kind of hacking.)
Your site is an interesting concept and it would definitely be interesting to have it around. Nonetheless I fear that the concept of the site is the cause of the security leaks. I'm not a security expert, but it is my opinion that it's not possible to make a site like this secure, without reimplementing PHP.
Best regards,
[Real name omitted, because I don't want this nick name to show up when people search my real name.]
mail() is working.
Can read and browse various directories using opendir() and friends.
Warning (512): Cache not configured properly. Please check Cache::config(); in APP/config/core.php [CORE/cake/libs/configure.php, line 663]
Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 684]
Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 691]
...
http://www.hping.org/phpinteractive/