PHP code injection. Do we have a security risk?
https://stackoverflow.com/questions/6343841
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
We have a simple php file that captures emails. It drops these emails into a csv file (which is not executable by php). We recently had someone who managed to hack our site and this seemed like one of the entry points, but I don't see how it's possible. Here's the script:
$fh = fopen('cap.csv', 'a+');
fwrite($fh, "\r".$_GET['email']);
fclose($fh);
Pretty basic right? Is there anyway you can think of to exploit this?
Solução
Yes, but probably not what you are looking for.
The only things I could do are:
- Add anything to your file, append only.
- (optional/bonus) Open the file directly if you haven't secured it and steal all e-mail addresses.
It won't allow me to execute anything, or gain access to anything though. (Unless you process it and cause an leak somewhere else). But still - make this secure!
Outras dicas
The code you have shown us can only be used to put anything in the csv file (I assume you don't verify/validate the $_GET['email'] variable), but you can't inject and execute PHP code that way.
Maybe you have a script that works on the csv file which got exploited.
The only thing I can think of right now for the given code is a NullByte attack vector (though I'm not sure they work in current versions of PHP anymore or even apply to your code). Since you are using $_GET, any attack via the eMail param should be visible in your server's log files.
Check your Log files for any suspicious email strings, e.g. something like
http://example.com?email=foo\0somethingmalicious
and similar things.
The code you posted suggests that you do not much sanitization on the input data. So it's likely that you have similar issues in other parts of the software.
Next to that even if you don't execute the csv file within your application, it is possible to inject PHP code therein.
So if there is another hole in the application that does not properly check input data and that could be exploited to include files on the server and then include that csv file in question, remote code execution is possible.
