.

Some questions on php configuration leaks & future of web security/hacking

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sat Sep 03, 2011 5:50 am

Some questions on php configuration leaks & future of web security/hacking

First let me post my question on php configuration leaks

I am learner in web-application hacking ,
I have seen some sites leaking their php configurations,i had seen like this
  Code:
http://www.target1.com/phpinfo.php
http://www.target1.com/php.ini
http://www.target1.com//htacess.txt


I just find these sites via google dorks,also the web-server is a shared web-server,the configuration leaks via one web-site poses danger to all the sites(almost 170 web-sites in them)

It made me think like this,

1.1)By leaking these  sensitive php configurations what kind of dangers will be faced the web-server ?

1.2)do you rate this as a major bug or minor bug ?

1.3)Also by having these sensitive configurations it it possible for a attacker to gain a shell on the web-server?

1.4)I have read that most of the security configurations has been placed in this .htacess file,is it possible for the attacker to attack/modify the .htacess configuration?

1.5)what are the possible attacks can be done on a .htacess file?

____________________________________________________________________
2)

I have been started to thinking about the future of the web-application hacking,because after seeing some things it made me think like this,

I am just a beginner in these web-Application security/hacking,i had started to read many many types of web-application  attacks and all especially from the owasp site and some other sites,

And i checked the sites like 1337day and exploit-db and some other exploit sites for those vulnerabilities,

say http response splitting last exploit has been published before 1 year,
say RFI/LFI bugs last exploit has been published before 3-4 months,
seems RFI/LFI is dying fast,i think it would disappear soon,
what types of exploits we are actively seeing is xss,sqli,file upload bugs,RCE,command injection,CSRF and few others.

Also i started to hear that the same will happen to sqli and xss in a very few years,

Nowadays it seems the standard of making web-application/web-development is becoming higher and they are making hackers job tougher,

2.1)what you guys feel about this?

2.2)do you think xss and sqli will die or will become an uncommon type(i.e like xst attack of today) of exploit in the few years ?

2.3)do you think any new breed of attacks will born in the coming future?

2.4)And as a beginner in web-app hacking/security this really started to worrying me,how can i prepare my-self so that i can over come these challenges in my future in order to have  a good and successfull  carrier web-Application security/hacking ?
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Sep 03, 2011 11:32 am

Re: Some questions on php configuration leaks & future of web security/hacking

o/ manoj  ;D


1.1) Exposing the PHP configuration will enable hackers to gain information, that may aid them in but not limited to: Privilege escalation, uploading files (by using the exposed information), get detailed information about vulnerable plugins (rare), see disabled functions and classes (useful when many functions are disabled), etc.

1.2) Minor bug when it's phpinfo(); and php.ini - It should be fixed though!  ;D

1.3) Not alone, the attacker(s) need an entry-point. If there's no user-input available at all, and the server is "secure", the information leaked / exposed, will do little good at the current time. (Later on, it could prove useful but it may also change.)

1.4) Incorrect. HTAccess files are mostly used for SEO nowadays, and custom 404 pages, along with of course, directories that requires a user and password. HTAccess can also control which files, are executed as what. I saw a backdoor not long ago, that made .lol (a file extension), become executed as .php .This requires code execution on the server already of course. .htaccess files are and shouldn't be readable directly via the website either. (The webserver should return a 403 forbidden error.)

1.5) Please refer to 1.4, as there's no "direct" attacks on .htaccess files. All you can do if you have access to the server, as in code execution, is to alter it if you have user privileges to do this.

--------------------------------------------------------

2.1) Good and bad.
Good: They're secure from the bad guys.
Bad: If they become too good, we loose our jobs  ;D (What a dilemma? Even though, isn't it our goal to create a perfect Internet with no security holes, if it was possible? But then again, some infosec people, are only in for the money. If everything was 100% secure though it is not possible, as we're humans and we make errors, I would probably find another hobby such as engineering.)

2.2) It might, it depends on if the developers of the applications are getting smarter, but also receive the education to write proper code.

2.3) Yes, we've already seen Clickjacking, and many other types of jacking the recent years. Along with CSRF attacks too, and so forth. The breed for new attacks, also relies on how web applications evolve, along with their programming languages and developers behind. (And of course, the hackers researching the security.)

2.4) Read the Web Application Hacker's Handbook vol. II (2), it should be out soon  :) Besides that, I'd recommend all the other things I've recommended you already, though not visible in this post.  :)
I'm an InterN0T'er
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Sep 03, 2011 11:46 am

Re: Some questions on php configuration leaks & future of web security/hacking

I forgot to say.. That everyone should take a look at this too:
https://www.owasp.org/index.php/PHP_Top_5

In case they're into PHP Web Application Security  :) It's well written, and contains many good facts.

Update:
It looks like this very well written article, does not describe remote code execution (RCE) vulnerabilities within regular expressions though. Some types of regex, with the 'e' (evaluate as PHP code) flag set, can also result in remote code execution.
Last edited by MaXe on Sat Sep 03, 2011 11:50 am, edited 1 time in total.
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sat Sep 03, 2011 11:57 am

Re: Some questions on php configuration leaks & future of web security/hacking

  Code:
1.1) Exposing the PHP configuration will enable hackers to gain information, that may aid them in but not limited to: Privilege escalation, uploading files (by using the exposed information), get detailed information about vulnerable plugins (rare), see disabled functions and classes (useful when many functions are disabled), etc.

1.2) Minor bug when it's phpinfo(); and php.ini - It should be fixed though!  Grin

1.3) Not alone, the attacker(s) need an entry-point. If there's no user-input available at all, and the server is "secure", the information leaked / exposed, will do little good at the current time. (Later on, it could prove useful but it may also change.)

1.4) Incorrect. HTAccess files are mostly used for SEO nowadays, and custom 404 pages, along with of course, directories that requires a user and password. HTAccess can also control which files, are executed as what. I saw a backdoor not long ago, that made .lol (a file extension), become executed as .php .This requires code execution on the server already of course. .htaccess files are and shouldn't be readable directly via the website either. (The webserver should return a 403 forbidden error.)

1.5) Please refer to 1.4, as there's no "direct" attacks on .htaccess files. All you can do if you have access to the server, as in code execution, is to alter it if you have user privileges to do this.



Thanks maxe,It seems unless a attacker finds a critical bug,these configuration exposure should not pose much risk to the particular target,but what i am thinking was,if one of the web-site hosted on a target server has the configuration leak and another site in the shared server has the bug through which an attacker can obtain shell,then this issue will become HOT...

  Code:
2.1) Good and bad.
Good: They're secure from the bad guys.
Bad: If they become too good, we loose our jobs  Grin (What a dilemma? Even though, isn't it our goal to create a perfect Internet with no security holes, if it was possible? But then again, some infosec people, are only in for the money. If everything was 100% secure though it is not possible, as we're humans and we make errors, I would probably find another hobby such as engineering.)

2.2) It might, it depends on if the developers of the applications are getting smarter, but also receive the education to write proper code.

2.3) Yes, we've already seen Clickjacking, and many other types of jacking the recent years. Along with CSRF attacks too, and so forth. The breed for new attacks, also relies on how web applications evolve, along with their programming languages and developers behind. (And of course, the hackers researching the security.)

2.4) Read the Web Application Hacker's Handbook vol. II (2), it should be out soon  Smiley Besides that, I'd recommend all the other things I've recommended you already, though not visible in this post.  Smiley


I also asked these same question in some other boards and what people said me "sql wont completely die like the other breed of attacks as we are going not going to abolish the use of database in next generation" and regarding xss they said "xss has not been seen as a  very serious threat by the web-browser developers,so in the future this kind of attack may be reduced,but it wont die like the other attacks"

And yeah i am still following all of your advices ,that is why lot of questions are popping up in my head daily :)


And i am not sure about the development field,but i would definitely like to ask you this,
secure programmers vs traditional programmers
even tough programmers from both the sides are knowledgable
who are developing the most  vendor specific web-applications that we are using today ?

And thanks for answering me maxe :) ,I got lot more to ask you :)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Sep 03, 2011 12:03 pm

Re: Some questions on php configuration leaks & future of web security/hacking

Security programmers are often in over big web applications that are sold on a massive scale, while traditional programmers not very skilled within information security, often write custom web applications for companies, etc.

At least, that is what I've personally seen and it's hard to say for sure, as it is not a fact.  :)
I'm an InterN0T'er
<<

janjensen

Post Thu Sep 15, 2011 5:10 am

Re: Some questions on php configuration leaks & future of web security/hacking

Or they make fixes without testing it  ;D

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software