[Emerging-Sigs] StillSecure: 10 New Signatures - Jan-28-2009

Matt Jonkman jonkman at jonkmans.com
Wed Jan 28 17:42:11 EST 2009


Posted! Thanks!!

Matt

signatures wrote:
> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1.       *WEB-PHP Pligg check_url.php url parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Pligg check_url.php url parameter SQL Injection";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/evb/check_url.php?"; nocase; uricontent:"url="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,milw0rm.com/exploits/7544; reference:bugtraq,32970;
> sid:2008024; rev:1;)
> 
> 2.       *WEB-PHP Pixel8 Web Photo Album AlbumID SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Pixel8 Web Photo Album AlbumID SQL Injection";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/Photo.asp?"; nocase; uricontent:"AlbumID="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33373/;
> reference:url,milw0rm.com/exploits/7627; sid:2008583; rev:1;)
> 
> 3.       *WEB-PHP PowerNews news.php newsid parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> PowerNews news.php newsid parameter SQL Injection";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/news.php?"; nocase; uricontent:"newsid="; nocase;
> uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase;
> pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack;
> reference:url,secunia.com/advisories/33363/;
> reference:url,milw0rm.com/exploits/7641; sid:2008584; rev:1;)
> 
> 4.       *WEB-PHP WSN Guest search.php search parameter SQL Injection*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> WSN Guest search.php search parameter SQL Injection";
> flow:to_server,established; content:"GET "; depth:4;
> uricontent:"/search.php?"; nocase; uricontent:"searchfields[0]=ownerid";
> nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase;
> uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui";
> classtype:web-application-attack; reference:bugtraq,33097;
> reference:url,milw0rm.com/exploits/7659; sid:2008038; rev:1;)
> 
> 5.       *WEB-PHP Recly Feederator add_tmsp.php mosConfig_absolute_path
> parameter remote file inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote
> file inclusion"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/tmsp/add_tmsp.php?"; nocase;
> uricontent:"mosConfig_absolute_path="; nocase;
> pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32194;
> reference:url,milw0rm.com/exploits/7040; sid:2008265; rev:1;)
> 
> 6.       *WEB-PHP Recly Feederator edit_tmsp.php mosConfig_absolute_path
> parameter remote file inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote
> file inclusion"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/tmsp/edit_tmsp.php?"; nocase;
> uricontent:"mosConfig_absolute_path="; nocase;
> pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32194;
> reference:url,milw0rm.com/exploits/7040; sid:2008266; rev:1;)
> 
> 7.       *WEB-PHP Recly Feederator subscription.php
> GLOBALS[mosConfig_absolute_path] parameter remote file inclusion*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Recly Feederator subscription.php GLOBALS[mosConfig_absolute_path]
> parameter remote file inclusion"; flow:established,to_server;
> content:"GET "; depth:4; uricontent:"/tmsp/subscription.php?"; nocase;
> uricontent:"GLOBALS[mosConfig_absolute_path]="; nocase;
> pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32194;
> reference:url,milw0rm.com/exploits/7040; sid:2008267; rev:1;)
> 
> 8.       *WEB-PHP Recly Feederator tmsp.php mosConfig_absolute_path
> parameter remote file inclusion
> *alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file
> inclusion"; flow:established,to_server; content:"GET "; depth:4;
> uricontent:"/tmsp/tmsp.php?"; nocase;
> uricontent:"mosConfig_absolute_path="; nocase;
> pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui";
> classtype:web-application-attack; reference:bugtraq,32194;
> reference:url,milw0rm.com/exploits/7040; sid:2008268; rev:1;)
> 
> 9.       *WEB-ATTACKS Easy Grid ActiveX Multiple Arbitrary File Overwrite
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Easy Grid ActiveX Multiple Arbitrary File Overwrite";
> flow:to_client,established; content:"clsid"; nocase;
> content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; distance:0;
> content:"DoSaveFile"; nocase; classtype:web-application-attack;
> reference:bugtraq,33272; sid:2008598; rev:1;)
> 
> 10.   *WEB-ATTACKS Ciansoft PDFBuilderX Control ActiveX Arbitrary File
> Overwrite
> *alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
> Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; 
> flow:to_client,established; content:"clsid"; nocase;
> content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; distance:0;
> content:"SaveToFile"; nocase; classtype:web-application-attack;
> reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794;
> sid:1000044; rev:1;)
> 
> Looking forward for your comments if any…
> 
>  
> Thanks & Regards,
> StillSecure
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list