[Emerging-Sigs] Fwd: Signature for Pre Projects E-Smart Cart 'embadmin/login.asp' SQL Injection Vulnerabilities

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 18 16:09:59 EDT 2010


Posting now, thanks dave!

Matt

On Oct 16, 2010, at 11:17 PM, dave richards wrote:

> Hi,
>  
> Please find the modified signature,
> Note: Space given for content:"POST "
> 
> Pre Projects E-Smart Cart 'embadmin/login.asp' SQL Injection Vulnerabilities
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection
> Attempt"; flow:established,to_server; content:"POST "; depth:5;
> uricontent:"/embadmin/login.asp"; nocase; content:"%27"; distance:0;
> classtype:web-application-attack;
> reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html;
> reference:url,exploit-db.com/exploits/14376; sid:20101024; rev:1;)
> --
> On Sun, Oct 17, 2010 at 7:12 AM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/15/2010 08:30, dave richards wrote:
> Hi Matt,
> 
> Please find the signature for the following,
> 
> Pre Projects E-Smart Cart 'embadmin/login.asp' SQL Injection Vulnerabilities
> alert tcp $EXTERNAL_NET any ->  $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
> Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection
> Attempt"; flow:established,to_server; content:"POST"; depth:5;
> 
> you are still missing the space in this content depth:5 :?
> 
> it should be
> 
>   content:"POST "; depth:5;
> 
> if you want to use this format...
> 
> 
> uricontent:"/embadmin/login.asp"; nocase; content:"%27"; distance:0;
> classtype:web-application-attack;
> reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html;
> reference:url,exploit-db.com/exploits/14376; sid:20101024; rev:1;)
> 
> 
> 
> -- 
> Regards,
> Dave
> 


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101018/537105dc/attachment.html


More information about the Emerging-sigs mailing list