Exploits in the wild for several PHP-based web apps

Published: 2005-12-22
Last Updated: 2005-12-22 17:14:37 UTC
by Jim Clausing (Version: 3)
0 comment(s)
Those of you that run web servers have probably noticed in your logs that there is a lot of scanning activity looking for vulnerabilities in PHP or web applications that are written in PHP.  Even after all these months there are still scans for the old awstats vulnerability and the XML-RPC vulnerabilities in PHP itself from a few months back.  Well, there are a couple of new ones in the last week or so that I thought deserved a mention.

Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so).  Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one.  Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled.  On a sort of related note (in so far as it has to do with phpBB-2.0.18, too), one of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users.  The disabling of those settings above will protect against the first issue, but not the second.  There are a number of possible solutions to the second problem including temporary lockouts after several unsuccessful login attempts.

Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView.  The authors have posted patches here which users are encouraged to apply as soon as possible.

Update: Frank Knobbe pointed out to me that there is a snort signature available from BleedingSnort (here) to detect the PhpGedView exploit.

---------------------
Jim Clausing, jac /at/ isc.sans.org
Keywords:
0 comment(s)
Diary Archives