WebApp Sec mailing list archives
Re: Mambo File Inclusion Attacks
From: Mark Ryan del Moral Talabis <talabis () gmail com>
Date: Mon, 16 Jan 2006 08:22:05 +0800
Dear Christopher, Yep, you are correct. The attack is quite old, we have indeed been seeing isolated cases in the course of our research. But what is quite peculiar is the sudden increase in these and other related attacks. The attacks have jumped quite considerably the past few weeks, particularly since the later part of December. Do you have any more theories on the spiders that you mentioned? It would be really intresting to study this further. Thanks, Ryan 2006/1/15, Christopher Kunz <chrislist () de-punkt de>:
Mark Ryan del Moral Talabis schrieb:We have been receiving multiple attacks directed towards the popular open source portal and content management system, Mambo. The attacks makes use of the "mosConfig_absolute_path" file inclusion vulnerability of certain unpatched versions of the said application. In this case, a possibly malicious file called "micu" is downloaded in the process of the attack. Full analysis: http://www.philippinehoneynet.org/data.phpI'd say this is fairly old news. We have been seeing these attacks since shortly after the advisory for the hole. micu is just your standard ddos/backdoor tool and the kids using it are mostly romanian and from south america. What worries me more is that we are also seeing a massive increase in non-application-specific PHP inclusion attacks. Seems like there are several spiders that just try injecting http://-style URLs into any URI parameter they see on a given domain. --ck -- http://www.de-punkt.de [ chris () de-punkt de ] http://www.stormix.de PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe, CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich "PHP-Sicherheit" direkt beim Verlag vorbestellen! http://www.php-sicherheit.de/ ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Mambo File Inclusion Attacks Mark Ryan del Moral Talabis (Jan 15)
- Re: Mambo File Inclusion Attacks Christopher Kunz (Jan 15)
- Re: Mambo File Inclusion Attacks Mark Ryan del Moral Talabis (Jan 17)
- Re: Mambo File Inclusion Attacks Christopher Kunz (Jan 15)