Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: phpAdsNew log items, vulnerabilities, fix and patch information - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
phpAdsNew log items, vulnerabilities, fix and patch information
Fotis Kouretas submitted log information related to phpAdsNew with the observation that "While xmlrpc scans are common for the last 2 days, these log snips has something special. It doesn't scan all the web servers and it know the locations of a specific target : phpAdsNew".

There were no other event log correlations, Fotis's log submission showed:

"POST /apps/media/ads/adxmlrpc.php HTTP/1.1" 406 278 "-" "-"
"POST /media/adxmlrpc.php HTTP/1.1" 406 349

The log entries may be related to a Nov 10 2005 phpAdsNew vulnerability announcement:
[Full-disclosure] [FS-05-01] Multiple vulnerabilities in phpAdsNew
phpAdsNew Affected versions:
Atleast 2.0.6, most likely others versions also.
Impact:
A remote attacker could exploit this to learn installation paths on
server, as well as to locate new files and possible manually modified
files.
If magic_quotes_gpc is off, a remote attacker can also compromise the
integrity of the database.

According to Matteo Beccati at phpAdsNew "The fix is on CVS REL_2_0 branch for now, I'll be able to make the final test and do the release in the weekend." (2005-11-12, 2005-11-13)
Project: phpAdsNew: CVS

We will post additional information from contributors as it's developed.

Thanks Fotis!
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!