cbcvebase.
CVE-2005-3738
published 2005-11-22

CVE-2005-3738: globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and…

PriorityP260low2.6CVSS 2.0
AVNACHAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.56%
87.9th percentile
globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.

Affected

10 ranges
VendorProductVersion rangeFixed in
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server
mambomambo_site_server

Detection & IOCsextracted from sources · hover to see the quote

pathindex.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
pathsuntzu.php?cmd=
filenamesuntzu.php
path/includes/HTML_toolbar.php/index.html
filenameglobals.php
filenamecontent.html.php
  • Detect exploitation attempts by looking for HTTP GET requests to index.php containing both 'GLOBALS=' and 'mosConfig_absolute_path=' parameters simultaneously, which is the hallmark of the globals overwrite attack vector.
  • Alert on HTTP requests containing the User-Agent string 'NeuralBot/0.2', used in the first stage of the exploit to trigger remote file inclusion via mosConfig_absolute_path.
  • Alert on HTTP requests containing the User-Agent string 'S.T.A.L.K.E.R.', used in the second stage of the exploit to execute commands via the dropped webshell (suntzu.php).
  • Detect presence of the dropped webshell by monitoring for HTTP requests to 'suntzu.php' with a 'cmd=' query parameter, indicating post-exploitation command execution.
  • The exploit checks for the string 'Hi Master' in the HTTP response to confirm successful exploitation; monitor web server responses for this string as a post-exploitation indicator.
  • The attacker stages a PHP payload at a remote location under /includes/HTML_toolbar.php/index.html; monitor outbound HTTP requests from the web server to external hosts fetching this path.
  • ·The vulnerability is only exploitable when PHP's register_globals is DISABLED; with register_globals enabled, the GLOBALS array overwrite via GET/POST parameters is not possible through this vector.

CVSS provenance

nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vulncheck2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.