[Info-vax] Using VMS for a web server

Bill Gunshannon bill at server3.cs.uofs.edu
Wed Jun 10 08:21:10 EDT 2015 

In article <ml80jl$cg1$1 at dont-email.me>,
	Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
> On 2015-06-09, Jan-Erik Soderholm <jan-erik.soderholm at telia.com> wrote:
>>
>> OK. That needs a script called wawalo.php already beeing on the server
>> in a directory where the server can execute it. The exploit is realy
>> to be able to upload the wawalo.php file in the first place.
>>
> 
> Actually what I read it as was that a PHP script installed for a
> legitimate purpose on the server (as part of, say, a PHP application)
> had a vulnerability which allowed attacker controlled commands to
> be executed.

I have seen no limitation on what script was used.  I feel fairly
certain that the professors who wrote some of them (including one
with lots of experience both writting and teaching PHP Web Scripting)
aren't putting backdoors in their scripts.  Now, the Word Press stuff
is more problematic.  Students grab this stuff off the web and just
install it so they can have "A Blog".  I would never trust it.  But,
as I said (and demonstrated) it really doesn't seem to matter what
script is being called.  Thus, I suspect this is a behaviour of the
interpreter.

No, I have  not tried to do any of this myself and am very unlikely
to bother.  I prevented it here and that was my job.  I'm not a hacker
and I have no desire to do this myself.

> 
>> If you have a server setup where someone can both upload a random
>> file and then also execute that file just like that frm the same
>> directory, you have a severe problem.
>>
>> Now, is this a "hole in PHP"? Or could the same thing be done
>> using any tool that can take an input parameter and execute it?
>>
> 
> In this case, I think I would class this as a PHP application
> vulnerability and not a PHP vulnerability itself.

Except that it appears to work with any random PHP script.  At least
it did here.  Yes, when first discovered, the attempts were successful.
I had to find and clean out all the silly little files that were left
behind.  I have also seen it used as a method to move WAREZ. 

> 
> However, speaking as someone who has actually written PHP code, the
> negative reputation the language itself has in some quarters is well
> justified.
> 

I prefer to do my programming in real languages.  I can think of
nothing any of these half-assed scripting languages can do that
can't be done better (and safer) in a real language.  Heck, when
one of the PHP scripts for the High School Programming Contest
web page broke and the professor in charge of the contest and his
grad student worker bees couldn't fix it after 5 days of trying
(actually, the language is so obfuscated they couldn't even figure
out why it had stopped working!) I wrote a replacement in Bourne
Shell in about 15 minutes and another version in COBOL in 30 minutes. :-)

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>

More information about the Info-vax mailing list