Exploits in the wild for several PHP-based web apps
Those of you that run web servers have probably noticed in your logs that there is a lot of scanning activity looking for vulnerabilities in PHP or web applications that are written in PHP.  Even after all these months there are still scans for the old awstats vulnerability and the XML-RPC vulnerabilities in PHP itself from a few months back.  Well, there are a couple of new ones in the last week or so that I thought deserved a mention.

Several days ago Secunia issued a bulletin discussing a new vulnerability in phpBB-2.0.18 (which is the latest one and which, unfortunately, has been a pretty popular target over the last year or so).  Fortunately, the vulnerability can only be exploited if a couple of settings are changed from the default to values that will open your web server to a lot more problems than just this one.  Having said that, the exploit is now in the wild, so if you are running phpBB, make sure that you follow the recommendations and that "Allow HTML" and register_globals are both disabled.  One of our intrepid readers also noticed that an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users.

Also, a couple of days ago a worm started making the rounds exploiting a vulnerability in the genealogy application PhpGedView.  The authors have posted patches here which users are encouraged to apply as soon as possible.

Jim Clausing, jac /at/ isc.sans.org
I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Tokyo Autumn 2022


423 Posts
ISC Handler
Dec 22nd 2005

Sign Up for Free or Log In to start participating in the conversation!