[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-28-2009

signatures signatures at stillsecure.com
Wed Jan 28 03:58:13 EST 2009


Hi Matt,

Please find 10 New Signatures below:

1.       WEB-PHP Pligg check_url.php url parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Pligg check_url.php url parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/evb/check_url.php?"; nocase; uricontent:"url="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/7544; reference:bugtraq,32970; sid:2008024; rev:1;)



2.       WEB-PHP Pixel8 Web Photo Album AlbumID SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Pixel8 Web Photo Album AlbumID SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/Photo.asp?"; nocase; uricontent:"AlbumID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33373/; reference:url,milw0rm.com/exploits/7627; sid:2008583; rev:1;)



3.       WEB-PHP PowerNews news.php newsid parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PowerNews news.php newsid parameter SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/33363/; reference:url,milw0rm.com/exploits/7641; sid:2008584; rev:1;)



4.       WEB-PHP WSN Guest search.php search parameter SQL Injection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WSN Guest search.php search parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/search.php?"; nocase; uricontent:"searchfields[0]=ownerid"; nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:bugtraq,33097; reference:url,milw0rm.com/exploits/7659; sid:2008038; rev:1;) 



5.       WEB-PHP Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/add_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; sid:2008265; rev:1;)



6.       WEB-PHP Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/edit_tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; sid:2008266; rev:1;)



7.       WEB-PHP Recly Feederator subscription.php GLOBALS[mosConfig_absolute_path] parameter remote file inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Recly Feederator subscription.php GLOBALS[mosConfig_absolute_path] parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/subscription.php?"; nocase; uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; sid:2008267; rev:1;)



8.       WEB-PHP Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tmsp/tmsp.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; sid:2008268; rev:1;)



9.       WEB-ATTACKS Easy Grid ActiveX Multiple Arbitrary File Overwrite
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0; content:"DoSaveFile"; nocase; classtype:web-application-attack; reference:bugtraq,33272; sid:2008598; rev:1;)



10.   WEB-ATTACKS Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite";  flow:to_client,established; content:"clsid"; nocase; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; distance:0; content:"SaveToFile"; nocase; classtype:web-application-attack; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; sid:1000044; rev:1;)

Looking forward for your comments if any...

 
Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090128/1524fbbc/attachment-0001.html


More information about the Emerging-sigs mailing list