[25561] in bugtraq
Security-risk on gridscan.com
daemon@ATHENA.MIT.EDU (Michael Metz [SpeedPartner])
Fri May 24 19:41:12 2002
From: "Michael Metz [SpeedPartner]" <metz@speedpartner.de>
To: bugtraq@securityfocus.com
Date: Sat, 25 May 2002 00:01:34 +0200
MIME-Version: 1.0
Message-ID: <3CEED45E.4888.35BF5B8@localhost>
Content-type: text/plain; charset=ISO-8859-1
Content-description: Mail message body
Content-Transfer-Encoding: 8bit
As reported by German ZDnet today (2002-05-24) in article
http://news.zdnet.de/story/0,,s2110809,00.html?020524165655 there is a new
"live search engine" under Gridscan.com. It only requires you to put a one-line
php-script from the Gridscan-homepage to your webserver, execute it once and
leave the script at this location. To unsubscribe from the search engine simply
delete the script. But the php-script-solution is a bit "risky": The php-script
you have to download contains only the row:
<? require("http://www.tobiaspreis.de/grid.php"); ?>
This way the administrator of tobiaspreis.de could easily modify his grid.php
to do almost anything on your webserver with full user rights of your php-
scripts. Also is the server tobiaspreis.de a good target for hackers because
this way they can gain access to a lot of large websites. In environments where
php-scripts run under the the customers identity instead of "nobody" this bears
a large security hole.
Further more the "live search"-technic can result in a high amount of cpu- and
harddisk-load. For a full explanation of the problems refer to the full comment
on this problem in German language at:
http://www.speedpartner.de/presse/020524.pdf
By the way: Why doesn't it download from Gridscan.com but from a private
homepage?
Mit freundlichen Grüßen
Michael Metz
****************************************************
SpeedPartner, Inh. Michael Metz
Neukirchener Str. 57, 41470 Neuss
Tel.: 02137 / 929 829, Fax: 02137 / 137 17
E-Mail: info@speedpartner.de
****************************************************
