this one: https://www.nginx.com/blog/new-joomla-exploit-cve-2015-8562/


i'd suggest to change the ua-detection from "JDatabaseDriverMysql"
to a regex detecting the PHP-Object-Injection to cover additional
attack-vectors (like my gurus @ emergingthreats said:
"mitigation against the vuln, not the exploit you should create" :D

i also suggest to delete the "O:" - detection which will lead to
a lot of false positives, as well as using "{" alone.



http {
map $http_user_agent $blocked_ua {

"~O:\+?\d+:.*:\+?\d+:{(s|S):\+?\d+:.*;.*}" 1;
default 0;
}

...

server {
...
if ($blocked_ua) { return 403; }
...
}

...

}




cheers,


mex