Hi @BlazeStudios.
I don’t think we know what range of versions it impacts. The version impacted in my case is 2.31.30. A few minor versions behind the latest FOP2 version.
The attack vector was a POST request to /fop2/lang/ko.php. Earlier in the day the server was scanned from the attacking IP via 2 HEAD requests to /fop2/JSON.php
Unfortunately, the ko.php file is obfuscated, so it’s hard to tell what is actually happening there.
I was running FOP2 with https, as described in my post here:
Meaning that HTTPS was being used, however, I also had insecure access enabled to the “Web Management” service in the firewall, which I think may mean that fop2 would have been accessible without HTTPS.
I don’t think either of the the interfaces were actually compromised, just a post request to that PHP file.