Update Protection against phpFullAnnu 'repmod' parameter File Inclusion Vulnerability
| Check Point Reference: | CPAI-2006-126 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2006-3493 | |
| Industry Reference(s): | CVE-2006-4644 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? phpFullAnnu version 5.1 and prior | ||
| Vulnerability Description phpFullAnnu, a content management system portal application, is prone to a remote file inclusion vulnerability. An attacker can exploit this vulnerability to execute arbitrary PHP code on an affected system via a maliciously crafted URL in the 'repmod' parameter. |
||
|
Vulnerability Details The vulnerability is due to input validation errors in the 'modules/home.module.php' script that does not validate the 'repmod' parameter prior to including files. A remote attacker could exploit this flaw via a specially crafted URL. By doing so, the attacker could include malicious scripts and execute arbitrary commands on the vulnerable system. |
Protection Overview
The Update enables the HTTP Worm Catcher to detect and block these vulnerabilities based on pre-defined worm signatures.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on November 13, 2006 includes the following protections:
C-News File Inclusion Vulnerability (CPAI-2006-125)
phpFullAnnu File Inclusion Vulnerability (CPAI-2006-126)
Microsoft setSlice Integer Overflow Vulnerability (MS06-057) - CPAI-2006-127
Microsoft Vector Markup Language (VML) Vulnerability (MS06-055) - CPAI-2006-128
Microsoft Server Service Vulnerabilities (MS06-063) CPAI-32006-129
Multiple MySQL Query Commands Vulnerabilities (CPAI-2006-130)
W-Agora Remote File Inclusion Vulnerabilities (CPAI-2006-131)
Protecting against Heap Spraying Techniques by Blocking Known Shell Code Exploits (SBP-2006-12)
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
2. In the General HTTP Worm Catcher configuration pane, under General HTTP Worm Catcher Settings > Mode, check Active.
3. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
VPN-1 NG with Application Intelligence R55/R54
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > General HTTP Worm Defender.
2. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability
Connectra NGX R61
How Can I Protect My Network?
1. In the navigation tree, click Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Enable the following pattern:
phpFullAnnu Remote File Inclusion Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: HTTP Worm Catcher
Attack Information: phpFullAnnu remote file inclusion vulnerability