Hacking blogs through comments?
Someone apparently is attempting to do some hacking using the comment posting ability in blogs.. (and apparently a really poor and misguided attempt)
In this entry.. this is the code he attempted to execute:
xxx<?php readfile("/etc/passwd") ?>xxx
Apparently he attempted the same thing on Ask's blog since he came to my site through a comment I posted there.
Since he's so nice as to try and get my /etc/passwd file I might as well be nice and post his IP address 63.89.29.6 which is in a block owned by Lally, Mcfarland & Pantello who have a really hideous website.. (they own the whole class C 63.89.29.0.. someone playing at work?)
Someone tell this guy MT is not php.. but even if it was php (of which I know next to nothing).. would it really be *this easy* to get the passwd file? I really don't think so.. but I could be wrong..
Okay, after further reading, apparently it is that easy to get the passwd file using php unless it's run in safe mode.
Comments
They seem to be an advertising agency in New York:
Lally, McFarland & Pantello/ EURO RSCG
200 Madison Avenue
New York, NY 10016
(212) 532-1000
(212) 213-0449 Fax
Posted by: Steve | October 9, 2002 10:34 AM
Another reason that i use the MTCleanHTML Plugin
http://www.decafbad.com/twiki/bin/view/Main/MTCleanHTMLPlugin. I've seen weird random looking stuff show up in comments myself. Not that exact one but others.
Posted by: nf0 | October 9, 2002 11:15 AM
Actually, yes, it really is that easy if you do two things, which MANY MT bloggers do.
You have to have comments included inline with your posts (as you do on your individual archive pages) and you have to tell MT to use a ".php" extention (which many do, including me, in order to add additional functionality that MT does not provide). With these two situations in place, and no preventative measures installed (like the MTCleanHTML plugin mentioned by another commenter) it would be *THAT* easy to get the /etc/password file, or execute any PHP script.
It's not really MT's fault... it's the fault of those who enable such things without thinking. The user who left this comment in your blog was either stupid, because he didn't look for the .php extention, or smart because he realizes that even files with an extention of ".html" can be parsed by PHP if the server operator sets it up that way.
Posted by: Reverend Jim | October 9, 2002 11:40 AM
I lean towards the "stupid" since he didn't bother to query my server to see that I don't run mod_php..
Thanks for the info! I had no idea it was that easy..
Posted by: kasia | October 9, 2002 11:43 AM
It's not only PHP enableded servers that are vulnerable - all kind of server parsed code is vulnerable to this attack, including SSI, which a lot of Apache servers allows per default - imagine something like:
< ! -- #include virtual="/etc/passwd" -- >
(I've added a few spaces to avoid attacking Kasias blog). It's common sence to always validate your input, so I highly recommend any MT users that allows HTML in comments to install something like http://www.bradchoate.com/past/mtsanitize.php
Posted by: Jan Chrillesen | October 9, 2002 01:25 PM
This is why I don't allow HTML in my comments. :) It's completely unnecessary and way more trouble than it's worth.
Posted by: tamaracks | October 10, 2002 12:23 AM
Technical stuff you're talking about, I'm clueless, so I'll rely on you to keep my blog safe.
But you're right about the website it's horrendous, way to many busy things going on.
Posted by: Lynne | October 10, 2002 09:15 AM
where's the original article?
Posted by: password protection | May 31, 2003 01:47 AM
Posted by: Adolf Hitler | September 14, 2003 04:23 PM