[Emerging-Sigs] StillSecure: 10 New Signatures - 14th Dec 2012

signatures at stillsecure.com signatures at stillsecure.com
Fri Dec 14 01:27:05 HAST 2012


Hi Matt,

Please find 10 New Signatures below:

1. ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?";
nocase; http_uri; fast_pattern:47,18; content:"wpp="; nocase; http_uri;
pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,
secunia.com/advisories/51346; classtype:web-application-attack; sid:13763;
rev:1;)

2. ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote
File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?";
nocase; http_uri; fast_pattern:47,21; content:"wpp="; nocase; http_uri;
pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,
secunia.com/advisories/51346; classtype:web-application-attack; sid:13764;
rev:1;)

3. ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt";
flow:established,to_server; content:"/hava_user.php?"; nocase; http_uri;
fast_pattern:only; content:"userId="; nocase; http_uri;
pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html;
classtype:web-application-attack; sid:13765; rev:1;)

4. ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site
Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting
Attempt"; flow:established,to_server; content:"/index.php?"; nocase;
http_uri; content:"module="; nocase; http_uri; content:"view="; nocase;
http_uri; content:"having="; nocase; http_uri;
pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13766; rev:1;)

5. ET ACTIVEX Possible NVIDIA Install Application ActiveX Control
AddPackages Unicode Buffer Overflow
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
Possible NVIDIA Install Application ActiveX Control AddPackages Unicode
Buffer Overflow"; flow:to_client,established;  content:"CLSID"; nocase;
content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0;
content:".AddPackages"; nocase; distance:0; reference:url,
packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html;
classtype:attempted-user; sid:13767; rev:1;)

6. ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion
Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability";
flow:established,to_server; content:"GET"; nocase; http_method;
content:"/includes/download.php?"; nocase; http_uri; content:"f="; nocase;
http_uri; content:"|2e 2e 2f|";  depth:200; reference:url,
packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13768; rev:1;)

7. ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability";
flow:established,to_server; content:"GET"; nocase; http_method;
content:"/windows/code.php?"; nocase; http_uri; content:"file="; nocase;
http_uri; content:"|2e 2e 2f|";  depth:200; reference:url,
packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13769; rev:1;)

8. ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability";
flow:established,to_server; content:"GET"; nocase; http_method;
content:"/windows/function.php?"; nocase; http_uri; content:"file=";
nocase; http_uri; content:"|2e 2e 2f|";  depth:200; reference:url,
packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13770; rev:1;)

9. ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt";
flow:established,to_server;
content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase;
http_uri; fast_pattern:30,18; content:"headline="; nocase; http_uri;
pcre:"/headline\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html;
classtype:web-application-attack; sid:13771; rev:1;)

10. ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting
Attempt"; flow:established,to_server; content:"/ssi_examples.php?"; nocase;
http_uri; fast_pattern:only; content:"view="; nocase; http_uri;
pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13772; rev:1;)

Looking forward for your comments if any.

Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121214/43dc6676/attachment.html>


More information about the Emerging-sigs mailing list