0

A moderator of a forum i own did so. I still can't belive on it, and i can't understand how he did it. Can someone explain me? He said he used only HTTP GET requests

The moderator said that the server (nginx) would normally send the output of the executed php files, but since that the files are 777 adding some parameters to the URL he can get the unparsed version of it.

Thanks

AstroCB
  • 12,337
  • 20
  • 57
  • 73
cedivad
  • 2,544
  • 6
  • 32
  • 41
  • 3
    You mean he he changed permissions of a file? Well, sound's like he hijacked an exec() or system() statement in the board. But hard to tell without knowing what he did and what board-software we're talking about. – Bobby Apr 15 '10 at 07:10
  • I've seen mis-configured Apache instances where .php files triggered the open/save dialog box in the browser - Apache isn't sending those files to the PHP parser. Is this the type of thing you mean? – John McCollum Apr 15 '10 at 07:15
  • The moderator said that the server (nginx) would normally send the output of the executed php files, but since that the files are 777 adding some parameters to the URL he can get the unparsed version of it. Thanks. – cedivad Apr 15 '10 at 07:26
  • You have stated that nginx is serving the files, so why is apache a tag for this question? Have you asked the moderator to tell you what they did? – cEz Apr 15 '10 at 13:32
  • The mod wont reply to' me... I don't know why I tagged it with apache instead of nginx =) – cedivad Apr 17 '10 at 18:12
  • @cedivad If the moderator has been given sufficient time to reply and is refusing to, you might want to reconsider their status as a moderator. Are you running the latest version of nginx? – cEz Apr 18 '10 at 20:05
  • I just retagged it for you :p. – wimvds Apr 21 '10 at 11:25
  • He is an ex mod of my site, he leaved time ago because it dosen't have enought time. Anyway, i have the reply: it was a bug on the 0.8.x trunche of nginx. He is a system admin, and he helped me fixing permissions. – cedivad May 07 '10 at 14:16

2 Answers2

3

If there's a badly written download script on the site then it's as easy as rewriting the url to download any file (including PHP source files). That could be just what he did, so you'd better check if the forum software (and installed 3rd party modules) you are using don't contain any known vulnerabilities.

wimvds
  • 12,790
  • 2
  • 41
  • 42
0

A properly configured server will only execute .php files, not reveal their source. But a badly configured server CAN serve up the PHP source via a .phps symbolic link pointing at the original file.

Beyond that, query parameters cannot tell PHP to serve up the source, unless the source in question has a backdoor in it, something like:

if (isset($_REQUEST['gimme_the_codez'])) {
    readfile($_SERVER['SCRIPT_FILENAME']);
    exit();
}

Of course, since the file's mode 777, if you can get into the directory it's in, you can get the file directly, or slap in the backdoor trivially.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • Can you explain this better? ------- Of course, since the file's mode 777, if you can get into the directory it's in, you can get the file directly, or slap in the backdoor trivially. ------- – cedivad Apr 17 '10 at 18:06
  • If you have shell access to the server, or at least some way of executing an arbitrary program on the server, a mode 777 file can be subverted, as it's universally accessible. – Marc B Apr 17 '10 at 23:11