[Emerging-Sigs] StillSecure: 10 New Signatures - Dec-30-2008

Matt Jonkman jonkman at jonkmans.com
Sat Jan 3 15:30:57 EST 2009


Once again, thanks to stillsecure!!!

Posted!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1.       *PHPmyGallery lang parameter Local File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"PHPmyGallery lang parameter Local File Inclusion";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/_conf/core/common-tpl-vars.php?"; nocase;
> uricontent:"lang="; nocase; pcre:"/(\.\.\/){1,}/U";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705;
> sid:508284; rev:1;)
> 
>  
> 
> 2.       *PHPmyGallery confdir parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"PHPmyGallery confdir parameter Remote File Inclusion";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/_conf/core/common-tpl-vars.php?"; nocase;
> uricontent:"confdir="; nocase;
> pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705;
> sid:508285; rev:1;)
> 
>  
> 
> 3.       *EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer
> Overflow*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EasyMail
> Objects emmailstore.dll ActiveX Control Remote Buffer Overflow";
> flow:to_client,established; content:"clsid"; nocase;
> content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; distance:0;
> content:"0x400000"; nocase; content:"CreateStore"; nocase;
> classtype:web-application-attack; reference:bugtraq,32722;
> reference:url,milw0rm.com/exploits/7402; sid:1000007; rev:1;)
> 
>  
> 
> 4.       *lcxBBportal Alpha portal_block.php phpbb_root_path parameter
> Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"lcxBBportal Alpha portal_block.php phpbb_root_path parameter
> Remote File Inclusion"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"/portal_block.php?"; nocase;
> uricontent:"phpbb_root_path="; nocase;
> pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647;
> sid:508278; rev:1;)
> 
>  
> 
> 5.       *lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path
> parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter
> Remote File Inclusion"; flow:established,to_server; content:"GET ";
> depth:4; uricontent:"/acp_lcxbbportal.php?"; nocase;
> uricontent:"phpbb_root_path="; nocase;
> pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647;
> sid:508279; rev:1;)
> 
>  
> 
> 6.       *ccTiddly index.php cct_base parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly
> index.php cct_base parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/index.php?"; nocase; uricontent:"cct_base="; nocase;
> pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7336
> <http://www.milw0rm.com/exploits/7336>;
> reference:url,secunia.com/Advisories/32995/; sid:508269; rev:1;)
> 
>  
> 
> 7.       *ccTiddly proxy.php cct_base parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly
> proxy.php cct_base parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/handle/proxy.php?"; nocase; uricontent:"cct_base="; nocase;
> pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7336
> <http://www.milw0rm.com/exploits/7336>;
> reference:url,secunia.com/Advisories/32995/; sid:508270; rev:1;)
> 
>  
> 
> 8.       *ccTiddly header.php cct_base parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly
> header.php cct_base parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/header.php?"; nocase; uricontent:"cct_base=";
> nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7336
> <http://www.milw0rm.com/exploits/7336>;
> reference:url,secunia.com/Advisories/32995/; sid:508271; rev:1;)
> 
>  
> 
> 9.       *ccTiddly include.php cct_base parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly
> include.php cct_base parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/include.php?"; nocase; uricontent:"cct_base=";
> nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7336
> <http://www.milw0rm.com/exploits/7336>;
> reference:url,secunia.com/Advisories/32995/; sid:508272; rev:1;)
> 
>  
> 
> 10.   *ccTiddly workspace.php cct_base parameter Remote File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ccTiddly
> workspace.php cct_base parameter Remote File Inclusion";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/includes/workspace.php?"; nocase; uricontent:"cct_base=";
> nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7336
> <http://www.milw0rm.com/exploits/7336>;
> reference:url,secunia.com/Advisories/32995/; sid:508273; rev:1;)
> 
> Looking  forward for your comments if any…
> 
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list