Remote File Inclusion: It needs your attention NOW!

I just read on PHPDeveloper that there is a new security problem that needs urgent attention of any php developer. It's RFI, a way for evil crackers to run their code of choice on your server, exposing such information as passwords, or even enabling them to get shell access to your system and maybe become root.

I just read on PHPDeveloper that there is a new security problem that needs urgent attention of any php developer. It's RFI, a way for evil crackers to run their code of choice on your server, exposing such information as passwords, or even enabling them to get shell access to your system and maybe become root. LWN has a good article describing the problem, offering simple solutions that every developer should already be using but sadly not everyone actually does. They also link to the code that crackers are actually using, as taken from their logs where attempts to exploit the RFI vulnerability are being seen at a rate of some 1 attempt per second.
October 13, 2006 - tags: technology
Add comment

Comments

gravatar PHP Resellers Hosting: It’s not a new thing, this has been around since the age of PHP. register_globals is evil and all other counter measures (such as basedir) are just an attempt to account for peoples bad programming.

Not slagging off your post, it’s important to highlight but thought I’d give my 2pence :)

p.s. When I tab from the http box on your comments it doesn’t go to the Message box which is annoying ;)
October 14, 2006
gravatar left: I realize indeed that it’s all just to fix people’s bad coding. Which is why I am glad that in PHP6, people will not be able to rely anymore on open_basedir, register_globals etc. I won’t declare myself a saint, but I do pay attention to these problems and attempt not to write any of these bugs into my own code. The reason of my post was to call this to attention of others.

Tab index problem: Sorry, it’s I guess part of this template. I’m in the CSS Reboot, I’ll ensure the new design won’t have this problem :)
October 16, 2006

Php5_zce_logo

Upcoming events

I will be speaking 05-06-2012: Forum PHP
I will be attending 06-06-2012: Symfony Live Paris 2012
I will be attending 07-06-2012: Symfony Live Paris 2012
I will be attending 08-06-2012: Symfony Live Paris 2012
I will be attending 09-06-2012: Symfony Live Paris 2012
I will be attending 23-06-2012: PHP TestFest NL

Tags

1337 2008 2010 2011 4developers access modifiers accessibility AdaLovelaceDay09 advent agavi agile alfred amsterdam apache api apple article articles atk atkMetaNode audioscrobbler autoloading automation azure backwards compatibility barcelona barcodes bash bbc bbq beatstad belgium best practices bittorrent blogging blogs boards of canada book books bughuntday bundle caching cake cal evans calendar career cat cerf certificate cfp cilex clear cms cologne common sense communities community components composer conference conferences contest continuous integration contribute contribution crisis css curl custom d-day datetime DbFinderPlugin decorator decorators deployment deps devdays development directoryindex directoryiterator docblox doctrine documentation download dpc dpc09 dpc10 dpc11 DPC2008 dreamhost drupal dv7 eclipse ed editors efficiency enterprise errors event events expertise ezcomponents facebook filter-branch filteriterator finland flickr fork framework frameworks freelance freeze frontend fun game games geoip germany getting real git github globiterator gnome-do google google calendar googletalk graceful degradation hack hackers hidden gem hiphop howto hp HR html http i386 ibuildings icann ide ideasofmarch idm imovie inclusivity indy ingewikkeld integration international php conference internet interview ipad IPC ipc ipc08 ipc10 ipc11se iterators iterm2 javascript jenkins jenkins-php job job openings jobeet john peel joomla joomladays kiva kubuntu launcher launchy left on the web libcurl libraries library lighttpd lime linktuesday linux live london loudblog m2ts mac magazines malware mambo marjolein mediterra meeting meme meta methodology micro-financing microframework microsoft migration movie music mysql namespace namespaces netbeans netherlands newsfire nllgg northeastphp nos odmarco open source opinion ORM osx paradiso paris partnership pavilion pear pecl performance personal pfc10 pfc11 pfcongres pfcongrez pfz photo php PHP php5.3 phpabstract phpazure phpBB phpbb phpbelgium phpbenelux phpbnl10 phpday phpdoc phpdocumentor phpgg phpitalia phpnw phpnw08 phpnw11 phpstorm phptek phptek09 phpuk2009 phpUnderControl phpunit php|architect php|tek podcast politics portability postcrossing presentation presentations private projects protected prototype PSR-0 public python qa qr codes re2c recruiting refactoring review rewrite ruby on rails san francisco schedule scifi script security sensio seven things sfdaycgn sflive2011 shell scripting silex simplexml slides smfony software sogeti solar sound speakers spl ssh standard standards star trek static steer strings stylesheets subversion symfony symfony live Symfony2 symfonycamp symfonyday symfonylive symfonyUnderControlPlugin talk talks tech techademy technology techportal tek09 telecommuting terratec terrorism testfest testing textmate textpattern the right tool timeout tips tld todo tomas tools training twig uncon unet usability usergroup validation vhost video vim vinyl virus warp webinar weblogging webservices wiki windows winphp women wordpress work workshop world world of warcraft wpi writing wunderlist xml xpath xsd yara year youtube zc11 ZCE zemanta zend zend framework zend server zend studio zendcon Zend_Form zite
© 2004 - 2012 Stefan Koopmanschap + Powered by Symfony, photos powered by Flickr, links powered by Delicious, Shanghai smilies by Iconbuffet. Feeds: rss / atom. Left on the Web v4.4.0.1