WAF 318812

From Atomicorp Wiki
Jump to: navigation, search
Rule 318812
Status Active
Alert Message Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Joomla images directory

Contents

Description

This rule detects an attempt to access a PHP file in the /images/stories/ directory. This directory is used by several CMS', including Joomla, to store image files. Attackers also use this directory to hide shells and other malicious files as this directory is typically used to allow users to upload images associated with comments and articles. Not all CMS' check to ensure that a file uploaded to this directory is not malicious. PHP files should never be found in this directory, as these CMS' will never install or use PHP files in these directories.

Some attack tools are known to blindly look for installed shells in these directories. Therefore, the fact that this rule is triggered does not mean that a malicious file has been installed on the system.

If your system is being targeted with this tool we do not recommend you disable this rule, even if you do not have Joomla installed. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

Troubleshooting

False Positives

If your CMS is known to use this directory for PHP files, and is known to securely prevent users from uploading PHP files to this directory then this may be a false positive. Please check with your web application vendor to determine if this is true.

Tuning Guidance

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Blog Articles

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools