Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Mambo File Inclusion Attacks

Re: Mambo File Inclusion Attacks

From: Mark Ryan del Moral Talabis <talabis_at_gmail.com>
Date: Mon, 16 Jan 2006 08:22:05 +0800

Dear Christopher,

Yep, you are correct. The attack is quite old, we have indeed been
seeing isolated cases in the course of our research. But what is quite
peculiar is the sudden increase in these and other related attacks.
The attacks have jumped quite considerably the past few weeks,
particularly since the later part of December. Do you have any more
theories on the spiders that you mentioned? It would be really
intresting to study this further.

Thanks,
Ryan

2006/1/15, Christopher Kunz <chrislist_at_de-punkt.de>:
> Mark Ryan del Moral Talabis schrieb:
> > We have been receiving multiple attacks directed towards the popular
> > open source portal and content management system, Mambo. The attacks
> > makes use of the "mosConfig_absolute_path" file inclusion
> > vulnerability of certain unpatched versions of the said application.
> > In this case, a possibly malicious file called "micu" is downloaded in
> > the process of the attack.
> >
> > Full analysis:
> > http://www.philippinehoneynet.org/data.php
>
> I'd say this is fairly old news. We have been seeing these attacks since shortly
> after the advisory for the hole. micu is just your standard ddos/backdoor tool
> and the kids using it are mostly romanian and from south america.
>
> What worries me more is that we are also seeing a massive increase in
> non-application-specific PHP inclusion attacks. Seems like there are several
> spiders that just try injecting http://-style URLs into any URI parameter they
> see on a given domain.
>
> --ck
>
> --
> http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de
> PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe,
> CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich
> "PHP-Sicherheit" direkt beim Verlag vorbestellen! http://www.php-sicherheit.de/
>
> -------------------------------------------------------------------------
> This List Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
> --------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Received on Jan 17 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]