dev blog (archives)
You blew it [permalinked view]
You blew it!
Or should I say, "u fUxD Up!". I'm talking to all you so-called "hackerz" (aka. h4x0rZ) out there. Note I don't say "hackers", a group one should feel a swell of pride to be among. No, I mean those script-kiddies who trawl around the internet; teen vandals, looking for some place to dump their meaningless, pre-made web-hacks. You suck, the lot of you. And you still haven't managed to "hack" the org!When I was a kid, I mean your age, thirteen or so, we didn't have supercomputers and php, or any of that. We had, at best, an Apple ][, or maybe a BBC Micro, BASIC and assembler, and access to the school's (oh man! soo slow) modems. If you wanted to peek inside restricted stuff, you had to know your shit, which you simply don't.
Do you remember waaaay back, oh, over a year ago, I did a blog about how I was shoring up a couple of security "holes" in the site, and how there was one more hole that I knew about, but was gonna leave as-is, for now. Of course, I didn't say exactly what it was, which spoils all the fun. Oh, you don't read the devblog. Serves you right, then! Research, Boy!
The M.O. of these script-kiddies is to scan for available "common known vulnerabilities", or else just hit them all in the hope one might exist. These kinds of vulnerabilities are highly unlikely to occur here at corz.org, because I wrote the back-end myself, and it's anything but common.
However, most of the source is available for download, and even for pretty syntax-highlighted viewing online. I've made it as easy as possible for any reasonably intelligent person to find and exploit potential vulnerabilities; my logic being that this is the best way to get your code secure - users will complain, you see; send security notices. Only one so far, but still, that's the value of releasing your code - peer testing. But I'm straying..
Usually, it's semi-automated hits, looking for Microsoft IIs or Front Page security flaws. Considering I don't run Front Page (*eew*), and this is a Linux server, these individuals are clearly fools of the lowest order. vti what?
However, occasionally, a script-kiddie rises, just slightly, above the pack, and arrives here via some google search for a "potentially insecure web app", a much more logical approach. The usual target is, of course, upload.php.Now, me being a clever bastard, I'm not going to have the most sought after possibly-vulnerable script as my gaping security hole, am I ?!?
Yup. And for years, too. Okay, the upload area contains nothing but other uploads, but judging by the thousands of attempts to hack into there, I KNOW you wanted to see those files, but couldn't. I really thought someone might figure it out. Nope.
Hiding things in plain sight often works well, because most people don't actually look. Even though the highlighted source for upload.php is right there for viewing and downloading, still you missed it. You uploaded hundreds of index.php, quite a few index.html*, and all the rest if it, even though it's clear by glancing at the code of upload.php, that these things get a .txt extension added to them, and no way are they gonna parse as php!
I have a massive collection of interesting php $hell scripts, too, many in highly fascinating Eastern European languages. All converted to something.php.txt, and also never parsed by the server. Even if your scripts hadn't been neutered by the .txt extension, you couldn't get access to the private/ folder to run them.
I remember failed hacks of my youth, and I feel for you. Today, I realized that I need the upload script for something more important than improving my php shell scripts collection, and decided to finally fix the security hole; I've basically given up waiting for one of you h4x0rZ to get a working brain.
So, now you're fucked. You had you chance, and you blew it. And once you've wiped all that cum off your sleeve, you can kick yourself while I tell you what you had to do to "hack the site", at least get to all my golden uploads, was..
upload an .htaccess file
Easy when you know how!
;o)
(or
references:
This is always fun.. I used to keep a copy of the distro machine inside the upload area, set to secure mode (for no reason, other than to taunt script-kiddies), and of course, they would try to get in with a password. However, if you set you directory indexes to parse index.html before index.php, and someone uploads an index.html; something interesting happens..
index.html gets transformed to index.html.txt (by the upload script), Apache performs its indexing magic on the directory request, and index.html.txt becomes the default index for that directory! Loading the directory, then, gets the source for index.html.txt in the browser. So now they don't even have a crack at the password! You sometimes need to tweak you apache options to get it to work. If your upload area is important, and has an index of its own, this could easily be seen as a vulnerability, and you will want to specify an index file. More .htaccess details at the usual place.
** of course, I'm saying nothing about the REAL hacker, who came in, switched the .htaccess, grabbed all the files, including my distro machine, with current site admin password, then replaced the .htaccess with one remarkably similar to the original, leaving practically no trace of his activity. I don't mention it, because it probably never happened.
index.html gets transformed to index.html.txt (by the upload script), Apache performs its indexing magic on the directory request, and index.html.txt becomes the default index for that directory! Loading the directory, then, gets the source for index.html.txt in the browser. So now they don't even have a crack at the password! You sometimes need to tweak you apache options to get it to work. If your upload area is important, and has an index of its own, this could easily be seen as a vulnerability, and you will want to specify an index file. More .htaccess details at the usual place.
** of course, I'm saying nothing about the REAL hacker, who came in, switched the .htaccess, grabbed all the files, including my distro machine, with current site admin password, then replaced the .htaccess with one remarkably similar to the original, leaving practically no trace of his activity. I don't mention it, because it probably never happened.
