[Emerging-Sigs] space at end of filename - bad form POST

Weir, Jason jason.weir at nhrs.org
Fri Oct 28 13:31:42 EDT 2011


Found on FB but would be potentially bad no matter where it's seen

http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability
.html

What do you guys think of this

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET Inbound
Bad POST - space at end of filename"; flow:established,to_client;
content:"Content-Disposition|3A| form-data|3b|"; nocase;
content:"filename=|22|"; pcre:"/filename=\x22\S* \x22/i";
classtype:bad-unknown;
reference:url,www.securitypentest.com/2011/10/facebook-attach-exe-vulner
ability.html; sid:xxxxxxx; rev:1;)

I wrote this up as an inbound rule looking for potentially malcious
posts to my forms - but could be used outbound as well looking for
clients trying to infect FB users..

-Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list