onceagainloap — 2012-04-15T09:39:51-04:00 — #1
I am totally new to the security field.
I have a simple php script that tracks my users activities:
$conn_visits=mysql_connect($mysql_hostname,$mysql_username,$mysql_password) or die (mysql_error());
mysql_select_db($mysql_db) or die (mysql_error());
mysql_query("INSERT INTO `visits` (`id` ,`ip` ,`session`, `page`,`referer` ,`date`) VALUES ( '' , '$ip', '$sid','$page','$ref', CURRENT_TIMESTAMP)") or die (mysql_error());
mysql_close($conn_visits) or die (mysql_error());
I noticed that an user tried to load this page: /index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
2012-04-15 07:34:26 22.214.171.124 c4ca4bf185f588f6b739952f4f6d15e9 /blog/2012/03/16/index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
2012-04-15 07:34:22 126.96.36.199 b302b847e98edd619b0fd520b95ce69a /index.php?dir=../../../../../../../../../../../../..//proc/self/environ%0000
By googling I realised it was an attempt to view private sys informations, called "directory traversal attack".
My question is, can I prevent this by setting a mod_rewrite instruction to redirect to a given URL all URLs containing "../../"?
logic_earth — 2012-04-15T15:08:31-04:00 — #2
Actually what you should do is make sure that "?dir=../../../../../../../../../../../../..//proc/self/environ00" didn't work. Most likely it was just an automated bot probing your server. Doing some funky mod_rewrite stuff is not necessary.
Btw...you could dump the whole "track" user thing. The Web server should already be configured to log every single request for you. It is a lot more efficient letting the web server then constantly opening and closing a connection to the database.
onceagainloap — 2012-04-15T17:23:26-04:00 — #3
Thank you for reply, logic_earth.
The /proc/self/environ doesn't work, I checked by myself, maybe the mod_rewrite thing could be a "general" solution for that attack, but I repeat, I am totally new with these things, so my question is still active.
The point of php script is: the hosting service (~15$/year) doesn't show me apache logs and the site itself has poor traffic (5/10 users per day); I use that script mostly to check social networks and sites my users come from; keywords etc are tracked with google webmaster's tools
dklynn — 2012-05-12T22:57:58-04:00 — #4
Are you using Magic Quotes? Are they enabled (see your phpinfo() printout)? If they are, disable them ASAP!
Other than that, l_e's statement that $dir is doing nothing is valid so you can consider this to be a clumsy hack-attack by a "script kiddie."
Once you're past that, consider yourself lucky as you've opened yourself to SQL-injection attacks by not using the mysqli_real_escape_string on the values obtained as input (okay, I believe it's just the HTTP_REFERER in this case) which can be modified by the visitor to change the mysqli_query string to get sensitive data from the MySQL server. In other words, please read the first few posts of the Sticky on resources 'cause your PHP is simply NOT secure.
onceagainloap — 2012-05-14T05:49:35-04:00 — #5
Ok, thank you very much, nice to learn something new!