PHP code injection. Do we have a security risk?
We have a simple php file that captures emails. It drops these emails into a csv file (which is not executable by php). We recently had someone who managed to hack our site and this seemed like one of the entry points, but I don't see how it's possible. Here's the script:
$fh = f开发者_JS百科open('cap.csv', 'a+');
fwrite($fh, "\r".$_GET['email']);
fclose($fh);
Pretty basic right? Is there anyway you can think of to exploit this?
Yes, but probably not what you are looking for.
The only things I could do are:
- Add anything to your file, append only.
- (optional/bonus) Open the file directly if you haven't secured it and steal all e-mail addresses.
It won't allow me to execute anything, or gain access to anything though. (Unless you process it and cause an leak somewhere else). But still - make this secure!
The code you have shown us can only be used to put anything in the csv file (I assume you don't verify/validate the $_GET['email']
variable), but you can't inject and execute PHP code that way.
Maybe you have a script that works on the csv file which got exploited.
The only thing I can think of right now for the given code is a NullByte attack vector (though I'm not sure they work in current versions of PHP anymore or even apply to your code). Since you are using $_GET, any attack via the eMail param should be visible in your server's log files.
Check your Log files for any suspicious email strings, e.g. something like
http://example.com?email=foo\0somethingmalicious
and similar things.
The code you posted suggests that you do not much sanitization on the input data. So it's likely that you have similar issues in other parts of the software.
Next to that even if you don't execute the csv file within your application, it is possible to inject PHP code therein.
So if there is another hole in the application that does not properly check input data and that could be exploited to include files on the server and then include that csv file in question, remote code execution is possible.
精彩评论