[Snort-sigs] SID 1399
warchild at ...288...
Wed Jan 30 10:20:02 EST 2002
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL PHP-Nuke
remote file include attempt"; flags:A+; uricontent:"index.php"; nocase;
content:"file=http\://"; nocase; reference:bugtraq,3889;
classtype:web-application-attack; sid:1399; rev:1;)
A remote machine has possibly attempted to include a remote file as part of
Possible file disclosure, or command execution at the privledge level of
the user running the webserver.
The index.php included with PHP-nuke allows inclusion of additional files.
Normal usage might be situations where a webmaster wants to include
additional code in their index.php. This can be done via
"index.php?file=<path_to_file>". PHP-nuke also allows inclusion of files
from remote sources specified by either ftp or http as the transport
protocol. This allows attackers to craft their own php file (say, foo.php)
and store it remotely (say, http://mysite.org/foo.php) and then instruct
the victim machine to include foo.php as part of it's source. Any code in
foo.php will get executed on the victim machine.
In an attempt to gain access to a remote site that happens to use PHP-nuke,
an attacker crafts the following foo.php, and places it on a website that
The attacker can then include foo.php as part of a remote site's index.php
that uses PHP-nuke, and execute any command:
Ease of Attack:
Anyone with access to a web browser and a publicly available web server on
which they have the ability to make files viewable from the web.
If the page being accessed is not named index.php, but has the same
vulnerability as the original index.php, the attack will slip by. If your
PHP-nuke install allows inclusion of files over other protcols (ftp), this
attack may slip by.
If you run PHP-nuke, either upgrade to the latest revision, or edit the
source to remove support for file inclusion. Check your web logs for
attempted file inclusion. If found, investigate this as a possible
Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>
More information about the Snort-sigs