[Emerging-Sigs] StillSecure: 10 New Signatures - Oct 15th, 2010

signatures signatures at stillsecure.com
Fri Oct 15 06:28:08 EDT 2010


Hi Matt,

Please find 10 New Signatures below:

1. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101062; rev:1;)

2. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101063; rev:1;)

3. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101064; rev:1;)

4. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101065; rev:1;)

5. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101066; rev:1;)

6. WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/baconmap/admin/updatelist.php?"; nocase; uricontent:"filepath="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; sid:20101069; rev:1;)

7. WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/com_rwcards/rwcards.advancedate.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; sid:20101061; rev:1;)

8. WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/html/11-login.asp?"; nocase; uricontent:"intPassedLocationID="; nocase; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,43865; sid:20101058; rev:1;)

9. WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"uniqcode=KPI"; nocase; uricontent:"menu_no_top=performance"; nocase; uricontent:"uri="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15232; sid:20101056; rev:1;)

10. WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/real_estate/index.php?"; nocase; uricontent:"option=com_jomestate"; nocase; uricontent:"task="; nocase; pcre:"/task=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/12835; sid:11501; rev:1;)

Looking forward your comments, if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101015/4751f4cf/attachment-0001.html


More information about the Emerging-sigs mailing list