Localoaf

I just found out that last week, I unwillingly and for the first time, apparently helped spammers send out thousands of emails over my webhost. It resulted in me being denied access to my mail server and my web site being disconnected temporarily. This is a bit embarrassing because it’s due to some really sloppy PHP code that I wrote a few years ago, but here we go:

I had a page with a very generic include command to render whatever file it was given via URL parameter:

include($page.".php");

What up to today I never considered was that PHP’s include command allows inclusion of remote files over HTTP. Here’s a piece of Apache logfile that my provider admin sent me:

In http://www.geocities.com/love_guy200200/Douglas.txt is PHP code along with a convenient HTML form to compose spam messages and retrieve email addresses from a database. Apparently, last Friday the guy behind 195.166.237.42 exploited my script to include his file and execute PHP’s mail() function on my provider’s server. He even got around the auto-appended “.php” string in my include line by adding a “?” at the end of his filename, which to me suggests that someone actually took the time to tailor this attack to my code.

All in all, this seems like a very common, easy-to-detect, easy-to-fix exploit that’s been written about sufficiently and could have been avoided with code written just a little bit more securely. But it was still surprising to find that it happened to me. So, next time your webspace is down or your mail server doesn’t let you in, consider bad code on your site. Also, this gave me some first-hand insight why after all these years we still have to deal with spam.

This entry was posted on Monday, December 18th, 2006 at 4:32 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.