[Snort-sigs] SID 1399

Warchild warchild at ...288...
Wed Jan 30 10:20:02 EST 2002

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL PHP-Nuke
remote file include attempt"; flags:A+; uricontent:"index.php"; nocase;
content:"file=http\://"; nocase; reference:bugtraq,3889;
classtype:web-application-attack; sid:1399; rev:1;) 


A remote machine has possibly attempted to include a remote file as part of
PHP-nuke index.php.

Possible file disclosure, or command execution at the privledge level of
the user running the webserver.

Detailed Information:
The index.php included with PHP-nuke allows inclusion of additional files.
Normal usage might be situations where a webmaster wants to include
additional code in their index.php.  This can be done via
"index.php?file=<path_to_file>".  PHP-nuke also allows inclusion of files
from remote sources specified by either ftp or http as the transport
protocol.  This allows attackers to craft their own php file (say, foo.php)
and store it remotely (say, http://mysite.org/foo.php) and then instruct
the victim machine to include foo.php as part of it's source.  Any code in
foo.php will get executed on the victim machine.

Attack Scenarios:
In an attempt to gain access to a remote site that happens to use PHP-nuke,
an attacker crafts the following foo.php, and places it on a website that
he controls:

The attacker can then include foo.php as part of a remote site's index.php
that uses PHP-nuke, and execute any command:

	lynx \

Ease of Attack:
Anyone with access to a web browser and a publicly available web server on 
which they have the ability to make files viewable from the web. 

False Positives:

False Negatives:
If the page being accessed is not named index.php, but has the same
vulnerability as the original index.php, the attack will slip by.  If your
PHP-nuke install allows inclusion of files over other protcols (ftp), this
attack may slip by.

Corrective Action:
If you run PHP-nuke, either upgrade to the latest revision, or edit the
source to remove support for file inclusion.  Check your web logs for
attempted file inclusion.  If found, investigate this as a possible
system-level intrusion.

Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>

Additional References:

More information about the Snort-sigs mailing list