Date: 30 March 2005
References: AL-2004.044 ESB-2005.0049 AU-2005.0005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2005.0008 - High level of exploitation of AWStats, phpBB and
other web bulletin board software
AusCERT Update Summary
----------------------
Product: Multiple vendors web bulletin boards
phpBB 2.0.12 and prior
AWStats 6.2 and prior
Operating System: UNIX variants
Linux variants
Windows
Impact: Execute Arbitrary Code/Commands
Website Defacement
Access: Remote/Unauthenticated
Ref: AL-2004.044
AU-2005.0005
ESB-2005.0049
AusCERT has noted a continuing high level of exploit activity targeting
vulnerable versions of popular web applications. In particular, these have
included the web bulletin board system, phpBB, and the web server statistics
package, AWStats. AusCERT has previously distributed advisories for both phpBB
[1] and AWStats [2][3].
A number of web servers in Australia and New Zealand have been compromised via
both of these vulnerabilities. The impact of successful attacks has ranged
from web site defacement to the installation of botnet clients and arbitrary
malware that may allow further compromise of the affected host.
These particular attacks have been both automatically propagated via worms such
as the Santy worm [4] and also exploited manually. Preventative measures by
search engine operators has reduced the effectiveness of Santy-style worms,
but this has seen an increase in the apparent amount of manual identification
and compromise of exploitable hosts.
In some cases, the organizations targeted are not aware that they have a
web server running vulnerable web applications, particularly old, outdated
builds.
AusCERT recommends that network administrators audit their networks for
outdated AWStats, phpBB and other web bulletin board installations, and either
uninstall or update them.
All existing phpBB installations can be upgraded to phpBB 2.0.13 [5] which
contains fixes for the current publicly known vulnerabilities. AWStats can be
upgraded to version 6.4 [6] which fixes existing vulnerabilities.
[1] https://www.auscert.org.au/4862
[2] https://www.auscert.org.au/4725
[3] https://www.auscert.org.au/4807
[4] https://www.auscert.org.au/4653
[5] http://www.phpbb.com/downloads.php
[6] http://awstats.sourceforge.net/#DOWNLOAD
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQkpR5ih9+71yA2DNAQLVmwQAionYbPY5VOsQ8d6luLEm5bFVhJLKEc5A
v9nXZ58qEbSEbGIwD7PoRXJCv98E7H7TU8wP7clEgWGWcHvmcOhvUbUaB/ofX4wn
hhweOla+bnGGlk4t4ZI1LtXFTean5+v9ea4OBLmreCKySs4Nqofnkkx/+GIjexXu
Q2P5DEgL5g8=
=jW1z
-----END PGP SIGNATURE-----
|