[Emerging-Sigs] StillSecure: 10 New Signatures - 21st Dec 2012

signatures at stillsecure.com signatures at stillsecure.com
Fri Dec 21 02:24:57 HAST 2012


Hi Matt,

Please find 10 New Signatures below:

1. ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter
Cross Site Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross
Site Scripting Attempt"; flow:established,to_server;
content:"/wp-admin/admin.php?"; nocase; http_uri;
content:"page=video-lead-form"; nocase; http_uri; fast_pattern:5,15;
content:"errMsg="; nocase; http_uri;
pcre:"/errMsg\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13773; rev:1;)

2. ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid
parameter Cross Site Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter
Cross Site Scripting Attempt"; flow:established,to_server;
content:"/plist.php?albumid="; nocase; http_uri;
pcre:"/albumid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html;
classtype:web-application-attack; sid:13774; rev:1;)

3. ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter
Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local
File Inclusion Attempt"; flow:established,to_server; content:"GET"; nocase;
http_method; content:"/force-download.php?file="; nocase; http_uri;
content:"|2e 2e 2f|"; depth:200; reference:url,
packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html;
classtype:web-application-attack; sid:13775; rev:1;)

4. ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS simple machines forum include parameter Local File
Inclusion Attempt"; flow:established,to_server; content:"/index.php?";
nocase; http_uri; content:"action=admin"; nocase; http_uri;
content:"include="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200;
reference:url,
packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13776; rev:1;)

5. ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File
Inclusion Attempt"; flow:established,to_server;
content:"/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?";
nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri;
content:"|2e 2e 2f|"; depth:200; reference:url,
packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13777; rev:1;)

6. ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt";
flow:established,to_server;
content:"/zp-core/zp-extensions/zenpage/admin-news-articles.php?"; nocase;
http_uri; content:"date="; nocase; http_uri;
pcre:"/date\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13778; rev:1;)

7. ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit
page XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS
Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?";
nocase; http_uri; content:"page=tokenmanageredit"; nocase; http_uri;
fast_pattern:5,16; content:"tid="; nocase; http_uri;
pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13779; rev:1;)

8. ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit
page XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page
XSS Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?";
nocase; http_uri; content:"page=tokenmanagertypeedit"; nocase; http_uri;
fast_pattern:5,20; content:"tid="; nocase; http_uri;
pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13780; rev:1;)

9. ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType
method Remote Code Execution
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code
Execution"; flow:to_client,established; content:"CLSID"; nocase;
content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0;
content:".SetShapeNodeType("; nocase; distance:0; reference:url,
packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html;
classtype:attempted-user; sid:13781; rev:1;)

10. ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control
ShowPropertiesDialog arbitrary code execution
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog
arbitrary code execution"; flow:to_client,established; content:"CLSID";
nocase; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0;
content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,
packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html;
classtype:attempted-user; sid:13782; rev:1;)

Looking forward for your comments if any.

Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121221/70da127b/attachment-0001.html>


More information about the Emerging-sigs mailing list