Security Advisories

Trustwave Press Releases

« Announcing Release of OWASP ModSecurity Core Rule Set v2.2.3 | Main | TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface »

21 December 2011


I have seen the same LFI and code injection attacks discussed here and today yet more PHP attacks. This time, an attempt to exploit phpthumb via CVE-2010-1598.

Full details along with IPs seen are at:

Anyone else see a big uptick in this activity today?

The attack vector isn't targeting web apps that eval the User-Agent field, but is instead using a technique to turn LFIs into pseudo-RFIs.

Many web apps (eg. PHP w/FastCGI) will pass the User-Agent field upstream to the PHP processor as a environment variable (eg. HTTP_USER_AGENT). Since that environment variable will be present in the process' /proc/self/environ file and the attacker controls the content of the env var, the attacker will control of the content of the local file (despite it being a virtual procfs), reference it in the LFI, and be able to execute arbitrary code.

I recently dealt with one of these attacks on a site. The encoded portion of the useragent contained an upload form and due to improper permissions in the web directory they were able to upload a shell. It was interesting to follow. It appears to have started back in October. The owner of the site kept cleaning it up and getting hit again. They assumed that because they had an extension on the verification of the existence of the file name ($var + ".htm") before including it this attack would not work. Is it partly a problem with how PHP handles the null (%00)?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment