another JOOMLA BIG EXPLOIT not stoped

[xanubi]

There is a BIG JOOMLA EXPLOIT, that cwaf don't stop, and two clients that use this library, where hacked.

Everything about the attack:
https://www.trustwave.com/Resources/SpiderLabs-Blog/-Honeypot-Alert--Open-Flash-Charts-File-Upload-Attacks/

And the logs of the attack:

Code: [Select]

195.22.100.5 - - [11/May/2015:08:08:37 +0100] "POST //components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1"
195.22.100.5 - - [11/May/2015:08:08:38 +0100] "GET //components/com_jnews/includes/openflashchart/tmp-upload-images/joss.php HTTP/1.1" 200 869 "-" "-"

[webjive]

That report talks about open flash chart, not JNews. It sounds like a rule for open flash chart would be more in line.

[xanubi]

It doesn't matter what component is, both are vulnerable because they use the library.
The problem is the php-ofc-library/ofc_upload_image.php

[brijendrasial]

wow in 2009 it was exploited and someone wants to include that rule in 2015? Shouldnt be that plugin upgraded?
If this is the case then 1000's more exploit rules needs to be included in CWAF till date. Then we will monitor apache load and will try to find out solution to lower its load. #DependencyRocks

[xanubi]

wow in 2009 it was exploited and someone wants to include that rule in 2015? Shouldnt be that plugin upgraded?
If this is the case then 1000's more exploit rules needs to be included in CWAF till date. Then we will monitor apache load and will try to find out solution to lower its load. #DependencyRocks

It's easy to talk. If you've on the same server 5 or 10 clients with joomla plugins using this library, i suppose you would talk differently. If you're not the programmer and clients don't want to update or remove the plugin, what would you do?

It's not 1000's, it's only the ones that are most used by "script kiddies".

Other rule makers, like OWASP, are bad, but they prevent this attacks that are more used by the script kiddies.

If we cannot rules to stop attacks, so what's the use of the rules!

[brijendrasial]

I dont think you got my point but I do get your point. Always excess of rules will lead to heavy load on Apache, so we should not try adding oldest of exploits. Instead software must be update. A real time virus scanner must be used to stop uploading of shells and mailers instead.

[xanubi]

I dont think you got my point but I do get your point. Always excess of rules will lead to heavy load on Apache, so we should not try adding oldest of exploits. Instead software must be update. A real time virus scanner must be used to stop uploading of shells and mailers instead.

A Real time virus scanner is what we've, but that doesn't stop all uploads of malicious codes, most LInux antivirus doesn't detect nothing, almost nothing, the best is clamav with maldet signatures and some other signatures, plus we make our own, but that also takes memory and is very expensive to apache, like you said.

Sometimes some kind of exploits, are similiar, and a construction of one rule, can avoid NNNN exploits.

Upgrade the software, is like i said, if it is your sites great, but normally this is not your sites, and clients don't want upgrades. Of course rules can't cover all exploits, it's impossible in terms of resources. But some of them, like this one, is BIG AND VERY USED, so it should be stoped, do a google search, there're thousands of possible sites to attack. Also, like i said, it's possible to upload a shell or some kind of script to attack, without being detected by antivirus.