my prediction (concerning Mambo/PHP flaw)
as some of you may know, recently there has been a surge of high profile defacements, specifically on servers running Mambo atop versions of PHP that allow for $GLOBALS arrays to be overwritten. I haven't noticed a big surge of media-whoring yet, but during my research on clients its apparent that there are a big percentage of machines affected.
the flaw in PHP basically allows for attackers to overwrite the $GLOBALS array, and with some special crafting an attacker is very much capable of inserting arbitrary data, in the case of Mambo; remote execution in the form of remote inclusion. Stefan Esser of
Hardened-PHP disclosed the vulnerability on October 31st. check out the advisory
here.
the flaw in Mambo is simply a remote inclusion attack (or local if safemode is on), and is all thanks to it's globals.php globals emulation. the variable that is left vulnerable after the $GLOBALS overwrite is "mosConfig_absolute_path", thanks to the following code:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/includes/HTML_toolbar.php' );
the vulnerablity in Mambo was disclosed by "peter MC tachatte" aka slythers@gmail.com, which btw is a cool dude, as far as our one-email communication goes. the disclosure happened on November 16th.
since then, there has been some major defacement and penetrations going on in several high profile networks -- it was surely bound to happen.
to cut the bullshit, I predict some worms have been written already, or are in the process of being written, and they will attack this vulnerability fiercely. let me just add, that thus far I've seen a high rate of vulnerable servers out there, thanks to this combination of flaws. so pull out your popcorn and tin foil (not aluminum) hats, and enjoy the show.