Page 1 of 1
Website vulnerability?
Posted: Sun Dec 21, 2014 9:59 pm
by netmaestro
I show you a picture of some PB code and the debugged results from running it:
The GET request contains errors. If you place a "0" after Content-Length: it will work fine, however that's not what I'm concerned about. I was under the impression that there's no way for someone to read your php code because it gets sent to the php server for processing and all that shows in the page is html code and whatever your php script echoes. But here my host is showing my php code to the world! That's a matter of concern to me as I could have put an encryption key in there or some other private thing, thinking the world can't get at it. Am I wrong? Or does my host have a weakness here?
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 1:23 am
by Thunder93
Looks like your missing the 404 error page. Correct this and I think it'll resolve php contents from being shown.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 1:37 am
by netmaestro
No, there's a 404.shtml document there and it has this code:
Code: Select all
<html>
<head>
<title>404 Error - Document Not Found</title>
</head>
<body>
<h1>404 - Document Not Found</h1>
<p>
<blockquote>
The requested object or URL, <b><!--#echo var="REDIRECT_URL"--></b>
was not found on this server.<P>
The link you followed is either outdated, inaccurate, or the server has been
instructed not to let you have it.<P>
Please inform the administrator of the referring page,
<a href="<!--#echo var="HTTP_REFERER"-->"><!--#echo var="HTTP_REFERER"--></a>.
</blockquote>
</body>
</html>
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:00 am
by Thunder93
Tested your example code. It didn't reveal the same experience.
.. Oops I've reproduced it.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:02 am
by netmaestro
It's still showing the world my php code here. I did notice that out of 10 to 15 runs it would not show the code maybe once or twice. I tried editing the echo directives out of the 404 page in case it was grabbing the wrong thing but no luck.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:05 am
by Thunder93
Right. Hmmm weird.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:19 am
by Thunder93
Try changing the whatsmyip.php contents to.
Code: Select all
<?php
if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
$ip = $_SERVER["REMOTE_ADDR"];
}
echo "[".$ip."]";
?>
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:30 am
by Thunder93
Try temporarily disabling that 404 error page. I think something weird is coming from processing 404 error page.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:33 am
by netmaestro
I changed the php code to remove all the html, no change. I deleted the 404.shtml page, no change. I have a support ticket in at my host, I'm waiting to see what they have to say.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:38 am
by Thunder93
Good that you created a support ticket with your hosting service. Because that can be a big issue as you know.
I've repeatedly tested your code on another service hosting that file, and I can't reproduce the same experience.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 2:48 am
by Vera
Unfortunately I can still, even after the changes, confirm netmaestro's results and already received the php contents with space 41200.
Doing the same with hex0rs' address I also get the note about 'HTTP/1.0 413 Request Entity Too Large', wheras using '0' behind Content-Length it returns a 'HTTP/1.1 404 Not Found'.
Re: Website vulnerability?
Posted: Mon Dec 22, 2014 7:39 am
by netmaestro
Got it solved with the help of my host's tech support. The problem was that my .htaccess file didn't specify documents to show for client errors. So I made a generic error page with html and uploaded it, then I put an ErrorDocument line in .htaccess for every possible 400-series error and pointed to the generic page. Now it never dumps my php script.
A big thank you to all who helped and showed concern, it's appreciated
