SID 2143
Msg
"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
Summary
This event is generated when an attempt is made to exploit a weakness in the cafelog php application.
Classtype
web-application-attack
Impact
Arbitrary code execution.
Detailed Information
This event is generated when an attempt is made to exploit a vulnerability in the cafelog PHP application.
It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script.
Affected Systems
- Any host using cafelog.
Attack Scenarios
An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php.
Ease Of Attack
Simple.
False Positives
None Known.
False Negatives
None Known.
Corrective Action
Check the php implementation on the host.
Check the webserver log files for signs of this activity.
Where possible, ensure the webserver is run as an unprivileged process.
Check the host for signs of compromise.
Contributors
- Sourcefire Vulnerability Research Team
- Brian Caswell
- Nigel Houghton
