[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-5-2009

signatures signatures at stillsecure.com
Mon Jan 5 04:14:49 EST 2009


Hi Matt,

Please find 10 New Signatures below:

1.       phpAddEdit editform parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpAddEdit editform parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/addedit-render.php?"; nocase; uricontent:"editform="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; sid:508289; rev:1;)

 

2.       Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0; content:"Open"; nocase; content:".avi"; nocase; distance:0; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7431 <http://www.milw0rm.com/exploits/7431> ; reference:bugtraq,32613; sid:508293; rev:1;) 



3.       Multiple Membership Script id parameter SQL injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Multiple Membership Script id parameter SQL injection"; content:"GET "; depth:4; uricontent:"/sitepage.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33019/; reference:url,milw0rm.com/exploits/7346; sid:2008199; rev:1;)

 

4.       CF_Calendar calid parameter  SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CF_Calendar calid parameter  SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/calendarevent.cfm?"; nocase; uricontent:"calid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; sid:2008205; rev:1;)

 

5.       Simple Text-File Login script slogin_path parameter remote file inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path="; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; sid:2008217; rev:1;) 

 

6.       WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user_menu.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; sid:2008005; rev:1;)

 

7.       WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/resim.asp?"; nocase; uricontent:"islem=altkat"; nocase; uricontent:"kat_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33199/; reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; sid:2008003; rev:1;)

 

8.       WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; distance:0; nocase; content:"RemoteAddress"; nocase; classtype:web-application-attack; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460 <http://www.milw0rm.com/exploits/7460> ; sid:2008128; rev:1;)

 

9.       WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; distance:0; nocase; content:"SetID"; nocase; classtype:web-application-attack; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505 <http://www.milw0rm.com/exploits/7505> ; sid:2008129; rev:1;)

 

10.   WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/news.php?"; nocase; content:"pid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/7541 <http://www.milw0rm.com/exploits/7541> ; reference:bugtraq,32962; sid:2008016; rev:1;)

Looking forward for your comments if any...

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090105/a4d5c556/attachment-0001.html


More information about the Emerging-sigs mailing list