[Emerging-Sigs] StillSecure: 10 New Signatures - 7th Dec 2012

signatures at stillsecure.com signatures at stillsecure.com
Thu Dec 6 21:20:37 HAST 2012


Hi Matt,

Please find 10 New Signatures below:

1. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/admin/admin_header.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13753; rev:1;)

2. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote
File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/includes/ajax_list_tree.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13754; rev:1;)

3. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote
File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/includes/previews_functions.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13755; rev:1;)

4. ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
Vulnerability"; flow:established,to_server; content:"/dispatch.php?";
nocase; http_uri; content:"atkaction=search"; nocase; http_uri;
content:"atknodetype="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
depth:200; reference:url,
packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html;
classtype:web-application-attack; sid:13756; rev:1;)

5. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File
Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File
Inclusion Vulnerability"; flow:established,to_server; content:"GET";
nocase; http_method; content:"/tests/test_tools/functional_tests.php?";
nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|";
nocase; depth:200; reference:url,
packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
classtype:web-application-attack; sid:13757; rev:1;)

6. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File
Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion
Vulnerability"; flow:established,to_server; content:"GET"; nocase;
http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase;
http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
depth:200; reference:url,
packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
classtype:web-application-attack; sid:13758; rev:1;)

7. ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
Attempt"; flow:established,to_server; content:"/consulta_fact.php?";
nocase; http_uri; content:"fact_num="; nocase; http_uri;
pcre:"/fact_num\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13759; rev:1;)

8. ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
Attempt"; flow:established,to_server; content:"/newinventario.php?";
nocase; http_uri; content:"sn="; nocase; http_uri;
pcre:"/sn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13760; rev:1;)

9. ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt";
flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri;
content:"ref="; nocase; http_uri;
pcre:"/ref\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13761; rev:1;)

10. ET WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS
command injection attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS command
injection attempt"; flow:established,to_server;
content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri;
content:"type="; nocase; http_uri; content:"host="; nocase; http_uri;
pcre:"/host\x3d.+cat.+\/.+/Ui"; reference:url,
packetstormsecurity.org/files/118497/Nagios-XI-Network-Monitor-2011R1.9-OS-Command-Injection.html;
classtype:web-application-attack; sid:13762; rev:1;)

Looking forward for your comments if any.

Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121207/9876fe8e/attachment.html>


More information about the Emerging-sigs mailing list