Hello Visitor! Login or Sign Up

PHP Rascals

Every now and again AutomaticRomantic emails me to say that it's got into trouble. This is great feature of Django actually, that it emails the admins whenever a server error occurs.

Inevitably though the problem is always the same, scallywags trying to inject PHP code into automaticromantic's views.

The method is simple. Take a url like /listtopideas which takes a query parameter "page" and instead of giving it an integer, give it a url that points to a PHP page with the following content :

<?php echo md5("just_a_test");?>

The intent is to get the server code to load an evaluate this url (i.e. run the code on that page). I understand that older versions of PHP had this kind of vulnerability. What is so scary about this kind of attack is that, were it to work, the code would be evaluated within the web-apps process. That is, it would have access to all database connections etc.

This example code doesn't do anything except output some weird characters to the screen - the effect of doing an MD5 hash on a test string but it would tell the would-be attacker all they need to know. The next url submitted would contain more malignant PHP code.

Django doesn't have this particular vulnerability so after a few attempts the rascals move on.

Sigh. I gotta tighten up the parameter checking in those views. I wish the Internet were a more friendly place.


© 2006 - 2013 Automatic Romantic | Terms of Use | Privacy Policy | Developer Blog

Web Design Inspired by Andreas Viklund Some icons by Mark James