Representative line(s)



  • 2 lines, actually, but one just sets up the punch-line

           $foo_fat_id = '$_REQUEST[\'fatandgory'.$i.'\'];';
           eval( "\$foo_fat_id = $foo_fat_id;" );
    

    SVN blame says "root". Current SVN version is over 3500.



  • Who is this "root' hacker and how can we stop him? I noticed the other day that he's somehow started a ton of processes on my machine. I tried killing them, but I guess his hack-fu was better than mine because every single time he crashed the OS before I can get in there to delete the binaries.



  •  'Root' is someone who should not be given a login shell that resides on /usr, if /usr is mounted on a different filesystem on an old Solaris system.



  • @morbiuswilters said:

    Who is this "root' hacker and how can we stop him? I noticed the other day that he's somehow started a ton of processes on my machine. I tried killing them, but I guess his hack-fu was better than mine because every single time he crashed the OS before I can get in there to delete the binaries.

    Have you checked to see if he's even created an account on your machine? If so, best delete it quick, before he can do any further damage!

    On a side note: when an inexperienced admin asked how to resync the system clock in a chatroom, one of my friends typed "init 0" before I had a chance to answer. After she'd remotely bought the server back up again (our server) and blushed profusely, she admitted it was a good learning point.



  • @swiers said:

    eval( "$foo_fat_id = $foo_fat_id;" );
    My php is rusty so just checking I've got this right. It sets the variable $foo_fat_id to the current value of $foo_fat_id ?



  • Not quite. The eval expands to something like this:

    eval ( "$foo_fat_id = $_REQUEST['fatandgory1'];");

    Which is just as stupid.



  • I've heard of SQL injections, but it takes a truly amazing level of incompetence to be vulnerable to PHP injections.
    Edit: Disregard that, I need to pay more attention to where the literal strings are.



  • That's exactly what it is - a PHP injection vulnerability, wrapped up in chunk of meaningless code that (asside from opening a huge security hole) only accomplishes what simple variable assignment already could.

    Via the PHP function "exec()", its also a bash script injection vulnerability. I don't think PHP has the permissions to successfully do something "exec(rm -rf)", but you could still do lots of damage with file commands, changing PHP ini values, etc. We considered playing a quick game of "burn the server" on our dev box to see if you could even destroy Apache or set up a Spambot, but then decided to just update the code. For the more adventurous, its out there in the wild as part of an open source package we used ... have fun!



  • @swiers said:

    That's exactly what it is - a PHP injection vulnerability, wrapped up in chunk of meaningless code that (asside from opening a huge security hole) only accomplishes what simple variable assignment already could.

    I don't think it is a vulnerability (Though it's certainly still stupid).
    Take for example $i = 1, $foo_fat_id = '$_REQUEST[\'fatandgory1\'];', which is a literal string which is not variable-expanded.
    The second line would then be:
    eval("\$foo_fat_id = $foo_fat_id;"), after variable expansion it becomes the literal
    eval('$foo_fat_id = $_REQUEST[\'fatandgory1\'];;')
    Which, aside from being utterly retarded, should only ever do a variable assignment.



  • @Salamander said:

    Take for example $i = 1, $foo_fat_id = '$_REQUEST[\'fatandgory1\'];', which is a literal string which is not variable-expanded.
    The second line would then be:
    eval("\$foo_fat_id = $foo_fat_id;"), after variable expansion it becomes the literal
    eval('$foo_fat_id = $_REQUEST[\'fatandgory1\'];;')
    Which, aside from being utterly retarded, should only ever do a variable assignment.
     

    So what is the bet that the line above this one is

    $i=$_REQUEST['i'];

    Which of course would allow this to display information: stupid.php?i='];phpinfo();//



  • I was kind of assuming that being called $i, it was some kind of an indexing variable that wasn't user-supplied. But yeah, if it isn't then that code is just waiting to catch on fire.



  • It is in fact an index variable, not a request value, yes. The root author didn't know you could use things like "fatandgory[]" as input names to produce an array of similar inputs in $_REQUEST, so they appended numbers to multiple similar input names (in a script generated form) and then iterated over the name/number comobos to do the form handling.

    (Honestly, I just learned that bit about param arrays myself, and it my not have been valid in older PHP versions.)

    So maybe it was just bad code, and not a server-devastating security threat? Was enough to give the lead dev the heeby jeebies once he saw it, and was worth re-factoring for readability in any case.



  • I don't have much to add to this discussion, other than I'm surprised that no one has pointed out TRWTF (the language, naturally). Instead, I feel compelled to point out an observation.

    Hey swiers, we totally had the same idea for an avatar! Jpeg artifact buddies forever!

    ~*~*~*~*~ ~*~*~*~*~



  • @swiers said:

    (Honestly, I just learned that bit about param arrays myself, and it my not have been valid in older PHP versions.)

    It's been in PHP for a very long time. It is a bit obscure, though. I really never found cases where it was useful, but YMMV.

    @swiers said:

    So maybe it was just bad code, and not a server-devastating security threat? Was enough to give the lead dev the heeby jeebies once he saw it, and was worth re-factoring for readability in any case.

    Any use of eval should be considered a severe bug. Even if it wasn't a security vulnerability this time, it easily could morph into one when somebody makes a change and doesn't realize the consequences. (Besides, it's just a fucking retarded use of eval.)



  • @Xyro said:

    Hey swiers, we totally had the same idea for an avatar! Jpeg artifact buddies forever!

    ~*~*~*~*~ ~*~*~*~*~

    Dammit, now I won't be able to tell you apart. Okay, I'll have to kill one of you to keep my forum experience from getting confusing. Which one of you is closer to me and/or more frail?



  • @morbiuswilters said:

    Dammit, now I won't be able to tell you apart. Okay, I'll have to kill one of you to keep my forum experience from getting confusing. Which one of you is closer to me and/or more frail?

    I'm not telling you until you kill nexekho.



  • @Xyro said:

    @morbiuswilters said:
    Dammit, now I won't be able to tell you apart. Okay, I'll have to kill one of you to keep my forum experience from getting confusing. Which one of you is closer to me and/or more frail?

    I'm not telling you until you kill nexekho.

    That's an homage to my greatness. Plus, it's easy to tell us apart..


    (I'm the one that looks like Nicolas Cage, right?)



  • @morbiuswilters said:

    @swiers said:
    (Honestly, I just learned that bit about param arrays myself, and it my not have been valid in older PHP versions.)

    It's been in PHP for a very long time. It is a bit obscure, though. I really never found cases where it was useful, but YMMV.

    I have found it useful when using web forms that have varying numbers of rows depending on how many of something there are. For example you might present someone with a feedback form with space for one comment for each product they bought. You don't know in advance how many comments there will be so you do something like "input name = comments[]" and it just adds it to an array (not sure of exact syntax but you get the idea).



  • @morbiuswilters said:

    Dammit, now I won't be able to tell you apart.
     

    The one is way blurrier.



  • @token_woman said:

    I have found it useful when using web forms that have varying numbers of rows depending on how many of something there are. For example you might present someone with a feedback form with space for one comment for each product they bought. You don't know in advance how many comments there will be so you do something like "input name = comments[]" and it just adds it to an array (not sure of exact syntax but you get the idea).

    Yeah, that's pretty much where I use it - a form with a variable number of similar elements. In my case its usually because I'm setting up a form with a table where each row (of an unknown number of possible rows) reflects data from a DB record and want the user to be able to edit some field(s) in each record. Happens a lot in the stuff I work on, when there's some sort of admin back end I'm hacking custom functionality into.

    That's exactly what was being done in the case where I encountered this WTF.



  • @token_woman said:

    I have found it useful when using web forms that have varying numbers of rows depending on how many of something there are. For example you might present someone with a feedback form with space for one comment for each product they bought. You don't know in advance how many comments there will be so you do something like "input name = comments[]" and it just adds it to an array (not sure of exact syntax but you get the idea).

    It's been a long time since I've done an actual form that wasn't JSON submitted over XmlHttpRequest. Still, I'd link each comment textarea to the ID of the product it refers to. You can still use the PHP array syntax for that, though: name="comments[" + id + "]".



  • @dhromed said:

    @morbiuswilters said:

    Dammit, now I won't be able to tell you apart.
     

    The one is way blurrier.

    Yeah, but I don't look that closely at Avatars, especially ones that look so much like the default. Hell, the first few times you posted with your new avatar I had no idea it was you.



  • @morbiuswilters said:

    @dhromed said:

    @morbiuswilters said:

    Dammit, now I won't be able to tell you apart.
     

    The one is way blurrier.

    Yeah, but I don't look that closely at Avatars, especially ones that look so much like the default. Hell, the first few times you posted with your new avatar I had no idea it was you.
    I personally prefer dhromed's animated avatar where dhromed is stalking in the background of morbiuswilters' avatar.


  • @morbiuswilters said:

    Hell, the first few times you posted with your new avatar I had no idea it was you.
     

    I know, but that's a temporary transitional period.

    I agree that it takes more than a glance from the corner of one's eye, though.



  • @Anketam said:

    I personally prefer dhromed's animated avatar where dhromed is stalking in the background of morbiuswilters' avatar.
     

    Thanks. I had plans for a humping V2.0 where the avamorbius would suddenly cum, but I got lazy.

    In any case, CS doesn't allow animated avatars, and I hate animated avatars with the same passion I hate strongly animated banner ads. I hope you understand.



  • @dhromed said:

    @morbiuswilters said:
    Hell, the first few times you posted with your new avatar I had no idea it was you.
    I know, but that's a temporary transitional period.

    I agree that it takes more than a glance from the corner of one's eye, though.

    You think if I changed my avatar people would actually read my posts instead of knee-jerking replies about how wrong I am?



  • @blakeyrat said:

    You think if I changed my avatar people would actually read my posts instead of knee-jerking replies about how wrong I am?
     

    Funny you ask. I think yes.



  • Ok how's this? Better?



  • @blakeyrat said:

    Ok how's this? Better?

    Now instead of incorrectly thinking you're an armadillo, they'll just assume you're a passionate Scottish freedom fighter.



  • @dhromed said:

    ...and I hate animated avatars with the same passion I hate strongly animated banner ads.

    Everyone hates them. That's why it's funny to have one.


  • ♿ (Parody)

    @morbiuswilters said:

    @dhromed said:
    ...and I hate animated avatars with the same passion I hate strongly animated banner ads.

    Everyone hates them. That's why it's funny to have one.

    This seems like as good a spot as any to start the adblocker flame war for June.



  • @blakeyrat said:

    Ok how's this? Better?

    Ugh, 3D gives me headaches.



  • @Xyro said:

    Now instead of incorrectly thinking you're an armadillo, they'll just assume you're a passionate Scottish freedom fighter.

    Oh. Am I the only person here who uses a genuine photograph of themself as their avatar? Kidding aside, my avatar genuinely is a photograph of me.



  • @Cad Delworth said:

    @Xyro said:
    Now instead of incorrectly thinking you're an armadillo, they'll just assume you're a passionate Scottish freedom fighter.

    Oh. Am I the only person here who uses a genuine photograph of themself as their avatar? Kidding aside, my avatar genuinely is a photograph of me.

    Wait... are you telling me that are people here whose avatar is not them? I need time to process this.



  • @Cad Delworth said:

    @Xyro said:
    Now instead of incorrectly thinking you're an armadillo, they'll just assume you're a passionate Scottish freedom fighter.

    Oh. Am I the only person here who uses a genuine photograph of themself as their avatar? Kidding aside, my avatar genuinely is a photograph of me.

    You're a Narn from Babylon 5?



  • I bet it's one of those millimeter wave scanners. Sure it's a great avatar, but now he has testicular cancer.



  • @serguey123 said:

    Wait... are you telling me that are people here whose avatar is not them? I need time to process this.
    I don't know. My avatar is certainly a genuine photograph of me.



  • @Scarlet Manuka said:

    My avatar is certainly a genuine photograph of me.
     

    So is mine.



  • @dhromed said:

    @Scarlet Manuka said:

    My avatar is certainly a genuine photograph of me.
     

    So is mine.

    Mine too, but an old one. I've given up playing blurnsball now - i was really shit at it. Whole new swathe to cut with computing.



  • @dhromed said:

    @Scarlet Manuka said:

    My avatar is certainly a genuine photograph of me.
     

    So is mine.

    Why did all of you take these pictures facing the wrong way?



  • @Someone You Know said:

    Why did all of you take these pictures facing the wrong way?
    We are clearly facing the right way, what's wrong with you? Feel left out?



  • @token_woman said:

    @Someone You Know said:
    Why did all of you take these pictures facing the wrong way?
    We are clearly facing the right way, what's wrong with you? Feel left out?

    You only have one eye. How would you know?



  • @Someone You Know said:

    You only have one eye. How would you know?
     

    ERROR: Jokes have to make sense before funny!



  • @dhromed said:

    @Someone You Know said:

    You only have one eye. How would you know?
     

    ERROR: Jokes have to make sense before funny!


    That's what she said!



  •  @Someone You Know said:

    Why did all of you take these pictures facing the wrong way?
    OK I found TRWTF. There's one leftist here and *it's not me*.

    *facepalm*



  • @Someone You Know said:

    @dhromed said:

    @Someone You Know said:

    You only have one eye. How would you know?
     

    ERROR: Jokes have to make sense before funny!

    That's what she said!
     

    But not to me!

     


Log in to reply