[Emerging-Sigs] Proposed Signature; Source disclosure as a result of sloppy administration.

evilghost@packetmail.net evilghost at packetmail.net
Wed Sep 23 14:36:23 EDT 2009


Appears the flowbit check is firing every time, is there something wrong 
with the syntax?  Sid 2009954

Matt Jonkman wrote:
> I agree, and they're posted with minor changes.
>
> Matt
>
> Bojan Zdrnja (SANS ISC) wrote:
>   
>> On Wed, Sep 23, 2009 at 5:15 PM, evilghost at packetmail.net
>> <evilghost at packetmail.net> wrote:
>>     
>>> There's an issue with SMF 1.1.10 and 2.0 RC1.2 disclosing the source of
>>> the PHP code when the ~ character is presented after the PHP code
>>> reported on FD.  This is (likely) due to the use of vi/gedit/etc or
>>> other editors preserving backups.  I propose these lowbrow signatures to
>>> catch sloppy admin behavior.  Since uricontent is used it's highly
>>>       
>> That's usually joe (the editor). And these are good sigs - I can't
>> even tell you how many times I've stumbled on these files when doing
>> pen testing. And usually they reveal the most sensitive stuff since
>> the administrators modify only configuration files. A good web scanner
>> will test for these as well.
>>
>> Cheers,
>>
>> Bojan
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>     
>
>   


More information about the Emerging-sigs mailing list