[Emerging-Sigs] Proposed Signature; Source disclosure as a result of sloppy administration.
evilghost at packetmail.net
Wed Sep 23 14:36:23 EDT 2009
Appears the flowbit check is firing every time, is there something wrong
with the syntax? Sid 2009954
Matt Jonkman wrote:
> I agree, and they're posted with minor changes.
> Bojan Zdrnja (SANS ISC) wrote:
>> On Wed, Sep 23, 2009 at 5:15 PM, evilghost at packetmail.net
>> <evilghost at packetmail.net> wrote:
>>> There's an issue with SMF 1.1.10 and 2.0 RC1.2 disclosing the source of
>>> the PHP code when the ~ character is presented after the PHP code
>>> reported on FD. This is (likely) due to the use of vi/gedit/etc or
>>> other editors preserving backups. I propose these lowbrow signatures to
>>> catch sloppy admin behavior. Since uricontent is used it's highly
>> That's usually joe (the editor). And these are good sigs - I can't
>> even tell you how many times I've stumbled on these files when doing
>> pen testing. And usually they reveal the most sensitive stuff since
>> the administrators modify only configuration files. A good web scanner
>> will test for these as well.
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
More information about the Emerging-sigs