PHPbb Scanning; Information Leaks; Usenix Paper
PHPbb Scanning
In a to our forum, Andy Green reports observing a new version of the good old phpBB
highlight exploit. In this case the observed pattern is:
&highlight='.system(getenv(HTTP_PHP)).'
which looks like an attempt to just check quickly if the forum is vulnerable.
The attack is only effective against phpBB version 2.0.15. The current version is 2.0.17.
In a follow-up post, Sadie suggests to block the sources from which these attack originate via a .htaccess file. Evidently, the scans can amount to a DOS attack due to the frequency of the scans.
How to respond to Information Leaks
We received two very similar requests for help. In the first case, a user reports that they repeatedly received medical information from strangers via FAX due to a misdialed number.
Clearly, medical information is regulated by HIPAA. For fax machines, common implementation guidelines suggest to program frequently used numbers into the fax machines speed dial memory. In addition, all fax transmissions should include a confidentiality notice, asking the receiver to notify the sender, and destroy the fax, if the fax is misdirected.
In this particular case, the user notified the health care provider but the fax errors continued. For persistent cases like this, it may be necessary to notify the indivuduals whose information you received, or to inform local law enforcement.
The second case involved a user who received a scanned image of a check from an insurance. The check was a check he wrote to the insurance. His account number was visible and the e-mail was not encrypted.
Obviously, this is not a good idea. The user further asked if it is necessary to get a new bank account. While possible, it is unlikely that the information leaked. It is probably not worth the effort to change accounts. However, it is advised to review statements carefully even without such an incident.
Usenix paper
Congratulation to John Bethencourt, Jason Franklin and Mary Vernon for their award winning paper on mapping of internet sensors. A couple people asked how this affects DShield, I summarized a response in a quick blog entry at http://johannes.homepc.org/blog .
--------
Johannes Ullrich, SANS Institute
(Filling in for George Bakos)
Keywords:
0 comment(s)
×
Diary Archives
Comments