I've got a few suspicious referers lately, so I've googled back and found this here: http://www.milw0rm.com/exploits/4084

Now, that seems to be about a fairly old version, and I don't use Spaw and don't seem to have any residual files for it. But since I honestly don't understand what's going on there, I just thought I put it out here and wait for someone to look into it and enlighten me before I bring my wiki up again. Thanks!

Also here: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3289. Might be a duplicate of an old one.

*edit* I definitely got tons of hits on the file in question over the last days. This might be a serious issue for people who have Wiwimod 0.4 and perhaps some other vulnerable versions installed.

*edit again* I even got a sample of the script they wanted to execute. I'm almost tempted to try to exploit myself, to see where that leads to. :S

As you say, a very old version of wiwimod.

Latest version is 0.8.3 and the obvious advice is "keep your modules up to date"

Interesting to know what happens with that script )hope you have a backup of your site

Ok, thanks. That's what I figured. The script they want to run is quite obviously about getting a shell from the server. So I think I better don't try it. Might get me in deep #OOPS# with my webhost, hehehe.

In any case: Watch out everyone with Wiwimod and a directory called "spaw" inside the wiwimod directory. Even if it's an old exploit, it looks like it's been revived by someone. So there's some activity on that count.

Could "Spaw" be related to the wysiwyg editor of the same name?

Quote:
That's my understanding. I believe it is a vulnerability in an old version of the Spaw editor which exists with those modules/scripts that make use of its class. My wiwimod doesn't, probably because it never did. But perhaps, I've also kicked out Spaw, because I had other wysiwyg editors.

In any case, I don't know what happens at those sites where the wiwimod version with the spaw editor has been simply upgraded, without removing the spaw files, so that, even though the spaw stuff isn't used by wiwimod anymore, it's still there and waiting to be attacked. One would hope it aborts, because of errors and root path and stuff, but who knows?

Which is why I would recommend everyone has a look into their installation and see whether they have the spaw stuff in there. In case they do, it might be wise to take precautions. I think that just deleting the directory root/modules/wiwimod/spaw should do here.

That's a remote file inclusion vulnerability, and it seems to be really ridiculously easy to exploit. You just pass a path to your own script in the url query string, and that stupid spaw script parses your own malicious script and includes it in its own flow. Something like that. It does you the favor to parse your own script, figure that!

Apparently, the vulnerable spaw has also been used in XT Conteudo (see last comment), and who knows where else. I, in any case, have grep'd all my installation for all vestiges of spaw.

I have winmod installed on my site. Winmod was one of the modules that was listed with the spaw related (milw0rm.com [2007-06-20]) I discovered this from following the security links and seeing where this one was involved. I was/am not using the spaw editor so it did not affect me.

http://www.xoops.net.br/modules/wiwimod/index.php?page=Security+Alerts&back=WiwiHome

Thanks for the hint. Phppp has also published a security alert some days back. It's at https://xoops.org/modules/news/article.php?storyid=3799

Hi Xoopers, Tobias is correct. Delete spaw directory urgent.

@moderator
This thread should be renamed [Resolved]