Topic awaiting preservation: Santy. $Pages that link to <a href="https://ozoneasylum.com/backlink?for=24518" title="Pages that link to Topic awaiting preservation: Santy." rel="nofollow" >Topic awaiting preservation: Santy.\$

Author	Thread
Karl Bipolar (III) Inmate From: Phoenix Insane since: Jul 2001	posted 12-28-2004 15:29 Just jumped over to the assylum to make sure it was still up! http://news.com.com/Google+worm+targets+AOL,+Yahoo/2100-7349_3-5504769.html
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 12-28-2004 15:36 makes you appreciate TP's work all the more =)
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-28-2004 16:11 yeah. So far no automated spam, and certainly no global virus attack. There are things to be said for having your own, custom solution.
Emperor Maniac (V) Inmate From: Cell 53, East Wing Insane since: Jul 2001	posted 12-28-2004 20:47 It gets worse: quote: New Santy.e worm to affect many more sites Posted on : 2004-12-28\| Author : Giri. S. J\| News Category : Technology A new version of Santy worm has appeared over the weekend. Dubbed as Santy.e, it poses a broader threat than its ancestors, which used Google to spot vulnerable web bulletin boards, then defaced them. Santy.e - rather than targeting only those websites running phpBB (software for creating Internet forums using the PHP scripting language) ? has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts. Experts said they have already received reports of websites attacked by infected systems, and that some servers have been compromised or dramatically slowed down as their loads climbed under constant probing. Like earlier Santy variations, Santy.e uses Google to identify exploitable web pages written in PHP which use the vulnerable functions "include()" and "require()". Santy.e, learning lesson from past wherein Google was quick in blocking the previous versions of Santy, also throws Yahoo's and AOL's search engines into a mix. However, F-Secure - anti-virus firm ? has downplayed the threat, saying these latest variants haven't got out of control. The Finnish firm credited Brazilian group suspected of being behind the attack is using a relatively small number of PCs in the bot network that's searching for vulnerable sites and then launching attacks on those it finds. The firm said the vulnerability lies in poor programming techniques rather than a code bug, and securing sites against the Santy.e exploit may be time-consuming, and require rewriting scripts with the include() and require() functions. It may be noted that the Santy worm and its variants affect only targeted bulletin board sites and do not pose a threat to web surfers who visit them. http://www.earthtimes.org/articles/show/1011.html Luckily as it lies in poor programming techniques the Asylum should be safe. The GN is down though - hopefully a coincidence ___________________ Emps The Emperor dot org \| Justice for Pat Richard \| FAQs: Emperor \| Site Reviews \| Reception Room if I went 'round saying I was an Emperor just because some moistened bint had lobbed a scimitar at me, they'd put me away!
Rinswind 2th Maniac (V) Inmate From: Den Haag: The Royal Residence Insane since: Jul 2000	posted 12-29-2004 11:21 GN is up and running at the moment...just checked ------------------------------ Support Justice for Pat Richard
Suho1004 Maniac (V) Mad Librarian From: Seoul, Korea Insane since: Apr 2002	posted 12-29-2004 12:55 I really wish people would write in English. Could someone explain to me what this means: "has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts." I'm guessing that it exploits PHP scripts that allow unverified file includes. Am I close? ___________________________ Suho: www.liminality.org \| Cell 270 \| Sig Rotator \| the Fellowship of Sup \| "Hooray for linguistic idiots and yak milk!"
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-29-2004 13:48 basically anything that does a variant of include ($someVar), where $someVar could be coming from 'outside'. Bonus points if you have the url-to-file-wrapper on and the attacker can include code coming from his own server.
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 12-29-2004 15:34 So just to make sure I'm understanding - simply using include() or require() isn't the problem, but specifying something other than a hard-coded path as the include might be?
Tyberius Prime Paranoid (IV) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-29-2004 16:05 indeed. Specifing anything that can be overwritten from the outside in an php->include or a php->require (or their _once equivalents) is a security risk.
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 12-29-2004 17:29 The path doesn't necessarily have to be hard coded. But it needs to be validated before used. For example you don't want a page called like this: http://wherever.com/index.php?page=something where you have this code. include("/myfiles/php/$page"); instead do something like so: if ( $page == "something") include ("/myfiles/php/something"); .:[ Never resist a perfect moment ]:.
DL-44 Maniac (V) Inmate From: under the bed Insane since: Feb 2000	posted 12-29-2004 17:56 ok, good. thanks for the clarification.
Suho1004 Maniac (V) Mad Librarian From: Seoul, Korea Insane since: Apr 2002	posted 12-30-2004 05:41 Yes, thank you. That's what I was thinking as well, but the article Emps linked to above was painfully obtuse on the point. ___________________________ Suho: www.liminality.org \| Cell 270 \| Sig Rotator \| the Fellowship of Sup \| "Hooray for linguistic idiots and yak milk!"

Topic awaiting preservation: Santy.\$

Author

Thread

Karl
Bipolar (III) Inmate

From: Phoenix
Insane since: Jul 2001

posted 12-28-2004 15:29

Just jumped over to the assylum to make sure it was still up!

http://news.com.com/Google+worm+targets+AOL,+Yahoo/2100-7349_3-5504769.html

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 12-28-2004 15:36

makes you appreciate TP's work all the more =)

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-28-2004 16:11

yeah. So far no automated spam, and certainly no global virus attack.
There are things to be said for having your own, custom solution.

Emperor
Maniac (V) Inmate

From: Cell 53, East Wing
Insane since: Jul 2001

posted 12-28-2004 20:47

It gets worse:

quote:
New Santy.e worm to affect many more sites
Posted on : 2004-12-28| Author : Giri. S. J| News Category : Technology

A new version of Santy worm has appeared over the weekend. Dubbed as Santy.e, it poses a broader threat than its ancestors, which used Google to spot vulnerable web bulletin boards, then defaced them.

Santy.e - rather than targeting only those websites running phpBB (software for creating Internet forums using the PHP scripting language) ? has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts.

Experts said they have already received reports of websites attacked by infected systems, and that some servers have been compromised or dramatically slowed down as their loads climbed under constant probing.

Like earlier Santy variations, Santy.e uses Google to identify exploitable web pages written in PHP which use the vulnerable functions "include()" and "require()". Santy.e, learning lesson from past wherein Google was quick in blocking the previous versions of Santy, also throws Yahoo's and AOL's search engines into a mix.

However, F-Secure - anti-virus firm ? has downplayed the threat, saying these latest variants haven't got out of control. The Finnish firm credited Brazilian group suspected of being behind the attack is using a relatively small number of PCs in the bot network that's searching for vulnerable sites and then launching attacks on those it finds.

The firm said the vulnerability lies in poor programming techniques rather than a code bug, and securing sites against the Santy.e exploit may be time-consuming, and require rewriting scripts with the include() and require() functions.

It may be noted that the Santy worm and its variants affect only targeted bulletin board sites and do not pose a threat to web surfers who visit them.

http://www.earthtimes.org/articles/show/1011.html

Luckily as it lies in poor programming techniques the Asylum should be safe.

The GN is down though - hopefully a coincidence

___________________
Emps

The Emperor dot org | Justice for Pat Richard | FAQs: Emperor | Site Reviews | Reception Room

if I went 'round saying I was an Emperor just because some moistened bint had lobbed a scimitar at me, they'd put me away!

Rinswind 2th
Maniac (V) Inmate

From: Den Haag: The Royal Residence
Insane since: Jul 2000

posted 12-29-2004 11:21

GN is up and running at the moment...just checked

------------------------------
Support Justice for Pat Richard

Suho1004
Maniac (V) Mad Librarian

From: Seoul, Korea
Insane since: Apr 2002

posted 12-29-2004 12:55

I really wish people would write in English. Could someone explain to me what this means: "has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts."

I'm guessing that it exploits PHP scripts that allow unverified file includes. Am I close?

___________________________
Suho: www.liminality.org | Cell 270 | Sig Rotator | the Fellowship of Sup | "Hooray for linguistic idiots and yak milk!"

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-29-2004 13:48

basically anything that does a variant of include ($someVar), where $someVar could be coming from 'outside'. Bonus points if you have the url-to-file-wrapper on and the attacker can include code coming from his own server.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 12-29-2004 15:34

So just to make sure I'm understanding - simply using include() or require() isn't the problem, but specifying something other than a hard-coded path as the include might be?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-29-2004 16:05

indeed. Specifing anything that can be overwritten from the outside in an php->include or a php->require (or their _once equivalents) is a security risk.

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 12-29-2004 17:29

The path doesn't necessarily have to be hard coded. But it needs to be validated before used. For example you don't want a page called like this:

http://wherever.com/index.php?page=something

where you have this code.

include("/myfiles/php/$page");

instead do something like so:

if ( $page == "something") include ("/myfiles/php/something");

.:[ Never resist a perfect moment ]:.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted 12-29-2004 17:56

ok, good.

thanks for the clarification.

Suho1004
Maniac (V) Mad Librarian

From: Seoul, Korea
Insane since: Apr 2002

posted 12-30-2004 05:41

Yes, thank you. That's what I was thinking as well, but the article Emps linked to above was painfully obtuse on the point.

___________________________
Suho: www.liminality.org | Cell 270 | Sig Rotator | the Fellowship of Sup | "Hooray for linguistic idiots and yak milk!"