Command Injection Protection Preemptively Protects against Santy.C Worm

Attack ID:	CPAI-2004-69

Publish Date:

Category:	Worms and Viruses

Vulnerable Systems:	All PHP versions

Source:	K-OTIK

Description:	PHP applications might be vulnerable to a programming flaw that enables a remote attacker to inject arbitrary commands. Santy.C uses popular search engines to find .php pages and inject these commands. This flaw is common to all PHP versions.

Severity:

Details:	Hypertext Preprocessor (PHP) is a widely used server-side scripting language, used to create dynamic Web pages. PHP is especially suited for Web development since it can easily be embedded into Hypertext Markup Language (HTML). A coding flaw may be present in PHP scripts that enables a remote attacker to inject malicious commands. Santy.C, the most recent variant of the Santy worm, uses Google and Yahoo! to find pages with the php extension in an attempt to inject malicious commans. This may result in the defacement of Web sites, data theft and execution of arbitrary code. This worm attacks all php scripts/pages which are vulnerable to a "File Inclusion" flaw (related to an insecure use of the Include() & Require() functions).

Attack Detection:	Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55W and Connectra with Web Intelligence license who have applied the solution outlined below, will be able to identify this attack by the following logging entries: Attack Name: Command Injection Information: reason: WSE0050001 command injection detected in URL: 'wget'

Solution:	Users of VPN-1 NG with Application Intelligence R55W with Web Intelligence license and Connectra are preemptively protected against Command Injection vulnerabilities. To verify that your Command Injection protection is enabled, refer to CPSA-2004-07.

Industry Reference:

Additional Information:	CPSA-2004-07