On a ISPConfig 2.2.35 server, logwatch mailed the following: A total of 8 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 /index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 /index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 /index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 /index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 /index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 /index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200 /index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200 Is this something I have to worry about?
This are just probes, it does not show if they were sucessful or not. try to open the following url in a browser: Code: www.domain.com/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ you have to replace the domain name of the web were you found this in front. which output do you get?
I can see the homepage. After a brief talk to the webdesigner his categories are protected agains an attack like that.
%00 is known as a "poison null byte" attack. Looks like it got trough since "Response 200" is not what we want to see. System commands can be included after that line. Check if you can see your page with this command after the domain part... Easy way to prevent this is to include this line in the .htaccess file. I have been meaning to address this problem. Should 'Perfect Server' also have mod_security installed and enabled? Or can we include that RewriteCond on server level in the Apache config? You can install mod_security in Debian with these commands...
