Web Analytics Made Easy -
StatCounter Combatting malicious, simulated POST $_REQUEST's? - CodingForum


No announcement yet.

Combatting malicious, simulated POST $_REQUEST's?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Combatting malicious, simulated POST $_REQUEST's?

    I have had attacks on a web site that I maintain through the inclusion of malicious code in the $_GET portions of URL's.

    For example:
    I was wondering how easy it is for hackers to simulate an internal $_POST from outside my site. I haven't noticed any trouble with that, but if I were a hacker, that's what I would try.

    Any suggestions/warnings?

  • #2
    This kind of attack it call Remote File Inclusion.
    It is of the most powerful attack that the hacker can use.

    There is one kind of shell script that the hacker can run via the inclusion, and the script is able to see everything on your webserver.....

    This is what the hacker can see:

    There are some host who have anti-virus install to prevent the execution of such script, but most of them does not have.

    Never allow a full path to be determine via the user input.

    To do internal Post back just use this...
    PHP Code:
    $_POST['variable'] = "YOUR VALUE"//this will work, simple as that 
    If you want to do it from outside...
    Just create a HTML form and point it to that site...
    Last edited by kokjj87; Apr 1, 2009, 01:28 AM.


    • #3
      As far as a Remote File Inclusion, I don't have any $_REQUEST's ($_GET's or $_POST's) on my page that tell the code exactly what we address to use. However, in my php.ini, these were all on when the attacks occurred:

      allow_url_fopen = Off
      allow_url_include = Off
      file_uploads = Off
      I didn't have register_globals on though! Still, not good. After turning the three above items off, I have used .htaccess to redirect any malicious URL's (like the one I mentioned in my first post). So far, so good.

      I guess I was wondering what a hacker would have to do to simulate a POST from outside of my web site. Since I'm only protecting against GET's, I suppose someone could use a phony POST to do some damage. Could they?