views:

177

answers:

3

A moderator of a forum i own did so. I still can't belive on it, and i can't understand how he did it. Can someone explain me? He said he used only HTTP GET requests

The moderator said that the server (nginx) would normally send the output of the executed php files, but since that the files are 777 adding some parameters to the URL he can get the unparsed version of it.

Thanks

+3  A: 

If there's a badly written download script on the site then it's as easy as rewriting the url to download any file (including PHP source files). That could be just what he did, so you'd better check if the forum software (and installed 3rd party modules) you are using don't contain any known vulnerabilities.

wimvds
The problem is that the mod stated he didnt used any bugged/explotsble php script...
cedivad
A: 

A properly configured server will only execute .php files, not reveal their source. But a badly configured server CAN serve up the PHP source via a .phps symbolic link pointing at the original file.

Beyond that, query parameters cannot tell PHP to serve up the source, unless the source in question has a backdoor in it, something like:

if (isset($_REQUEST['gimme_the_codez'])) {
    readfile($_SERVER['SCRIPT_FILENAME']);
    exit();
}

Of course, since the file's mode 777, if you can get into the directory it's in, you can get the file directly, or slap in the backdoor trivially.

Marc B
Can you explain this better?-------Of course, since the file's mode 777, if you can get into the directory it's in, you can get the file directly, or slap in the backdoor trivially.-------
cedivad
If you have shell access to the server, or at least some way of executing an arbitrary program on the server, a mode 777 file can be subverted, as it's universally accessible.
Marc B
Yes, but teorically you shouldn't have it...
cedivad