Left on the Web

Remote File Inclusion: It needs your attention NOW!

I just read on PHPDeveloper that there is a new security problem that needs urgent attention of any php developer. It's RFI, a way for evil crackers to run their code of choice on your server, exposing such information as passwords, or even enabling them to get shell access to your system and maybe become root. LWN has a good article describing the problem, offering simple solutions that every developer should already be using but sadly not everyone actually does. They also link to the code that crackers are actually using, as taken from their logs where attempts to exploit the RFI vulnerability are being seen at a rate of some 1 attempt per second.
October 13, 2006 - tags: technology

Add comment

Comments

PHP Resellers Hosting: It’s not a new thing, this has been around since the age of PHP. register_globals is evil and all other counter measures (such as basedir) are just an attempt to account for peoples bad programming.

Not slagging off your post, it’s important to highlight but thought I’d give my 2pence

p.s. When I tab from the http box on your comments it doesn’t go to the Message box which is annoying

October 14, 2006

left: I realize indeed that it’s all just to fix people’s bad coding. Which is why I am glad that in PHP6, people will not be able to rely anymore on open_basedir, register_globals etc. I won’t declare myself a saint, but I do pay attention to these problems and attempt not to write any of these bugs into my own code. The reason of my post was to call this to attention of others.

Tab index problem: Sorry, it’s I guess part of this template. I’m in the CSS Reboot, I’ll ensure the new design won’t have this problem

October 16, 2006