this one: https://www.nginx.com/blog/new-joomla-exploit-cve-2015-8562/
i'd suggest to change the ua-detection from "JDatabaseDriverMysql"
to a regex detecting the PHP-Object-Injection to cover additional
attack-vectors (like my gurus @ emergingthreats said:
"mitigation against the vuln, not the exploit you should create" :D
i also suggest to delete the "O:" - detection which will lead to
a lot of false positives, as well as using "{" alone.
http {
map $http_user_agent $blocked_ua {
"~O:\+?\d+:.*:\+?\d+:{(s|S):\+?\d+:.*;.*}" 1;
default 0;
}
...
server {
...
if ($blocked_ua) { return 403; }
...
}
...
}
cheers,
mex