[Emerging-Sigs] StillSecure: 10 New Signatures - Oct 1st, 2010

signatures signatures at stillsecure.com
Fri Oct 1 06:11:52 EDT 2010


Hi Matt,

Please find 10 New Signatures below:

1. WEB-PHP Joomla TimeTrack Component ct_id Parameter SELECT FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla TimeTrack Component ct_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_timetrack"; nocase; uricontent:"view=timetrack"; nocase; uricontent:"ct_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/41583; sid:20101027; rev:1;)

2. WEB-PHP Joomla TimeTrack Component ct_id Parameter DELETE FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla TimeTrack Component ct_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_timetrack"; nocase; uricontent:"view=timetrack"; nocase; uricontent:"ct_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/41583; sid:20101028; rev:1;)

3. WEB-PHP Joomla TimeTrack Component ct_id Parameter UNION SELECT SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla TimeTrack Component ct_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_timetrack"; nocase; uricontent:"view=timetrack"; nocase; uricontent:"ct_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/41583; sid:20101029; rev:1;)

4. WEB-PHP Joomla TimeTrack Component ct_id Parameter INSERT INTO SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla TimeTrack Component ct_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_timetrack"; nocase; uricontent:"view=timetrack"; nocase; uricontent:"ct_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/41583; sid:20101030; rev:1;)

5. WEB-PHP Joomla TimeTrack Component ct_id Parameter UPDATE SET SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla TimeTrack Component ct_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_timetrack"; nocase; uricontent:"view=timetrack"; nocase; uricontent:"ct_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/41583; sid:20101031; rev:1;)

6. WEB-PHP TBDev admincp.php rootpath Parameter Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TBDev admincp.php rootpath Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"rootpath="; nocase; pcre:"/rootpath=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,43004; sid:20101022; rev:1;)

7. WEB-PHP Open Educational System mod_admuser.php Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Open Educational System mod_admuser.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin/modules/user_account/admin_user/mod_admuser.php?"; nocase; uricontent:"CONF_INCLUDE_PATH="; nocase; pcre:"/CONF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1002-exploits/oes-rfi.txt; reference:bugtraq,38449; sid:2012795; rev:1;)

8. WEB-PHP Open Educational System mod_group.php Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Open Educational System mod_group.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/admin/modules/user_account/ogroup/mod_group.php?"; nocase; uricontent:"CONF_INCLUDE_PATH="; nocase; pcre:"/CONF_INCLUDE_PATH=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1002-exploits/oes-rfi.txt; reference:bugtraq,38449; sid:2012796; rev:1;)

9. WEB-PHP EncapsCMS common_foot.php Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP EncapsCMS common_foot.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/common_foot.php?"; nocase; uricontent:"config[path]="; nocase; pcre:"/config\[path\]=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11355; reference:bugtraq,22319; sid:2012704; rev:1;)

10. WEB-MISC agXchange ESM ucquerydetails.jsp QueryID Parameter Cross Site Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC agXchange ESM ucquerydetails.jsp QueryID Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/pages/ucquerydetails.jsp?"; nocase; uricontent:"QueryID="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,38896; reference:url,secunia.com/advisories/39058; sid:2012910; rev:1;)

Looking forward your comments, if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101001/a2eacae3/attachment.html


More information about the Emerging-sigs mailing list