[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-19-2009

signatures signatures at stillsecure.com
Mon Jan 19 07:36:45 EST 2009


Hi Matt,

Please find 10 New Signatures below:

1.       WEB-PHP cfagcms right.php title Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP cfagcms right.php title Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/right.php"; nocase; uricontent:"title="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483; sid:2008222; rev:1;)



2.       WEB-PHP BloofoxCMS dialog.php lang parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BloofoxCMS dialog.php lang parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"lang="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013; sid:2008020; rev:1;)



3.       WEB-PHP BloofoxCMS dialog.php theme parameter Local File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BloofoxCMS dialog.php theme parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dialogs/dialog.php?"; nocase; uricontent:"theme="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7580; reference:bugtraq,33013; sid:2008021; rev:1;) 



4.       WEB-ATTACKS Chilkat Socket Activex Remote Arbitrary File Overwrite 1
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; content:"CLSID"; nocase; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; distance:0; content:"SaveLastError"; nocase; classtype:web-application-attack; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; sid:2008025; rev:1;)



5.       WEB-PHP eDreamers eDNews lg Parameter Local File Include
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP eDreamers eDNews lg Parameter Local File Include"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/eDNews_archive.php?"; nocase; uricontent:"lg="; nocase; pcre:"/(\.\.\/){1,}/U"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7603; reference:bugtraq,33027; sid:2008026; rev:1;)



6.       WEB-ATTACKS SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Get"; nocase; classtype:web-application-attack; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; sid:2008031; rev:1;)



7.       WEB-PHP Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/deptdisplay.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040; sid:2008027; rev:1;) 



8.       WEB-PHP RealtyListings type.asp iType Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RealtyListings type.asp iType Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/type.asp?"; nocase; uricontent:"iType="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; sid:2008559; rev:1;)



9.       WEB-PHP RealtyListings detail.asp iPro Parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; sid:2008560; rev:1;) 



10.   WEB-PHP PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/DB_adodb.class.php?"; nocase; uricontent:"PHPOF_INCLUDE_PATH="; nocase; pcre:"/PHPOF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,25541; sid:2008029; rev:1;)

Looking forward for your comments if any...

Thanks & Regards,

StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090119/da98c793/attachment-0001.html


More information about the Emerging-sigs mailing list