[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-5-2009

Matt Jonkman jonkman at jonkmans.com
Thu Jan 8 10:53:14 EST 2009


All posted, thanks!

That also puts us to sid 2009000. Another thousand up there!!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:**
> 
> 1.       *phpAddEdit editform parameter Local File Inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"phpAddEdit editform parameter Local File Inclusion";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/addedit-render.php?"; nocase; uricontent:"editform=";
> nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774;
> sid:508289; rev:1;)
> 
>  
> 
> 2.       *Microsoft Visual Basic Common AVI ActiveX Control File Parsing
> Buffer Overflow*
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Microsoft
> Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow";
> flow:to_client,established; content:"CLSID"; nocase;
> content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; distance:0;
> content:"Open"; nocase; content:".avi"; nocase; distance:0;
> classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7431
> <http://www.milw0rm.com/exploits/7431>; reference:bugtraq,32613;
> sid:508293; rev:1;)
> 
> 3.       *Multiple Membership Script id parameter SQL injection
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Multiple
> Membership Script id parameter SQL injection"; content:"GET "; depth:4;
> uricontent:"/sitepage.php?"; nocase; uricontent:"id="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33019/;
> reference:url,milw0rm.com/exploits/7346; sid:2008199; rev:1;)
> 
>  
> 
> 4.       *CF_Calendar calid parameter  SQL Injection
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"CF_Calendar calid parameter  SQL Injection";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/calendarevent.cfm?"; nocase; uricontent:"calid="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33074/;
> reference:url,milw0rm.com/exploits/7413; sid:2008205; rev:1;)
> 
>  
> 
> 5.       *Simple Text-File Login script slogin_path parameter remote
> file inclusion
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Simple
> Text-File Login script slogin_path parameter remote file inclusion";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/slogin_lib.inc.php?"; nocase; uricontent:"slogin_path=";
> nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32811;
> reference:url,milw0rm.com/exploits/7444; sid:2008217; rev:1;)
> 
>  
> 
> 6.       *WEB-PHP icash Click&BaneX user_menu.asp ID parameter SQL Injection
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> icash Click&BaneX user_menu.asp ID parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/user_menu.asp?"; nocase; uricontent:"ID="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856;
> sid:2008005; rev:1;)
> 
>  
> 
> 7.       *WEB-PHP EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/resim.asp?"; nocase; uricontent:"islem=altkat"; nocase;
> uricontent:"kat_id="; nocase; uricontent:"UNION"; nocase;
> uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui";
> classtype:web-application-attack;
> reference:url,secunia.com/advisories/33199/;
> reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt;
> sid:2008003; rev:1;)
> 
>  
> 
> 8.       *WEB-ATTACKS EvansFTP EvansFTP.ocx Remote Buffer Overflow
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> EvansFTP EvansFTP.ocx Remote Buffer Overflow";
> flow:to_client,established; content:"CLSID"; nocase;
> content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; distance:0; nocase;
> content:"RemoteAddress"; nocase; classtype:web-application-attack;
> reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460
> <http://www.milw0rm.com/exploits/7460>; sid:2008128; rev:1;)
> 
>  
> 
> 9.       *WEB-ATTACKS Phoenician Casino FlashAX ActiveX Control Remote
> Buffer Overflow
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow";
> flow:to_client,established; content:"CLSID"; nocase;
> content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; distance:0; nocase;
> content:"SetID"; nocase; classtype:web-application-attack;
> reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505
> <http://www.milw0rm.com/exploits/7505>; sid:2008129; rev:1;)
> 
>  
> 
> 10.   *WEB-PHP RSS Simple News news.php pid parameter Remote SQL Injection
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> RSS Simple News news.php pid parameter Remote SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/news.php?"; nocase; content:"pid="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,www.milw0rm.com/exploits/7541
> <http://www.milw0rm.com/exploits/7541>; reference:bugtraq,32962;
> sid:2008016; rev:1;)
> 
> Looking forward for your comments if any…
> 
>  
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list