Mambo Exploit Confirmed in the Wild

Published: 2005-11-20
Last Updated: 2005-11-21 17:24:30 UTC
by Lenny Zeltser (Version: 4)
0 comment(s)
In reference to yesterday's diary entry about the vulnerability in the Mambo content management system, we received several confirmations that it is being exploited in the wild. An ISC reader supplied us with a captured attack packet, which demonstrated an attempt to upload a copy of a PHP-based backdoor (Loader'z WEB Shell) to the vulnerable system.

The official fix to address the flaw will be released later this month as part of Mambo 4.5.3. In the mean while, you can patch your Mambo system manually by following instructions in the following posting:

Thanks to Rick Hoppe for the pointer to the fix.

Although we initially reported that some versions of PHP may not be vulnerable to this attack, the Mambo Development Team has revised their assessment to state that all versions of PHP are vulnerable. They also point out that the flaw "is not specific to Mambo and has not been totally blocked in Joomla, as can be verified in the Joomla forum." The fix listed on the Mambo forum "can be applied at the entry point to any PHP application that may be vulnerable, including Joomla." Joomla is another PHP-based content management system. This, along with other security issues, is addressed in Joomla 1.0.4.

If you applied the Mambo fix yesterday, you may want to revisit their forum, because they've updated their recommendations since originally publishing them.

Matt Jonkman at Bleeding Snort has developed a Snort signature to detect attempts to exploit this vulnerability. The signature is available at the following URL:

Please send us your feedback regarding the effectiveness of this signature, and we'll be sure to relay your commends to Bleeding Snort.

Lenny Zeltser
ISC Handler on Duty
0 comment(s)


Diary Archives