using nginx + naxsi to fight against the latest Joomla-0-Day and PHP-Object-Injection generally

On Dec 13. a critical vuln in Joomla! - core was reported, leading to a remote code execution; evidence of scanners already exploiting this vuln are reported as well.

The problem seems to be a wrong parsed UserAgent, leading to a potential PHP-Object-Injection. POI-Vulns hit nearly every popular cms over the last years (see references below), and if you use nginx + naxsi, combined with doxi-rules you should be protected against this sort of attacks: there is a rule (doxi-rule id:42000343), available since early 2013, that detects and protects against POI-Exploits.

DOXI-Rule 42000343

MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343  ;

using nginx alone you might use the following snippet, inspired by an article from nginx.com to protect against the exploit found in the wild, but beware of additonal attack-vectors (POST has been reported as well) and if is evil:

http {
    map $http_user_agent $blocked_ua {

        "~O:\+?\d+:.*:\+?\d+:{(s|S):\+?\d+:.*;.*}" 1; 
        default 0;
     }

  ...

  server { 
      ...
      if ($blocked_ua) { return 403; }
      ...
  }

  ...

}

References

selection of PHP-Object-Injection Vulns

date: 2015.12
tags: exploit guide hacker joomla naxsi nginx security taod

You code … we platform.