[Emerging-Sigs] 2 Wordpress - Sigs

Markus Manzke mail at mare-system.de
Thu Dec 27 22:17:22 HAST 2012


I should have sended it earlier,nthe naxsi-sigs weee posted in 25.  :-)  

For the uploadify-sig, i tried to avoid a pcre and think this SIG, as-is, OK for non-wp-servers. 


Will Metcalf <wmetcalf at emergingthreatspro.com> schrieb:

>First one we did almost the exact same sig and is loaded to go in
>today. Uploadify is used in all kinds of junk... maybe we should add
>/wp-property/ in there somewhere?
>
>Regards,
>
>Will
>
>
>On Thu, Dec 27, 2012 at 4:13 PM, mex <mail at mare-system.de> wrote:
>>
>> on dec 24 a nice vuln tha grants probably access was published on FD
>>
>> http://seclists.org/fulldisclosure/2012/Dec/242
>> http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh
>>
>>
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WordPress TotalCache-DBCache-Access"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/w3tc/dbcache"; nocase; classtype:web-application-attack;  reference:url,seclists.org/fulldisclosure/2012/Dec/242; reference:url,git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh; sid:XXXXXXX; rev:2;)
>>
>>
>> the following is to detect an unwanted file-upload:
>> http://www.securityfocus.com/bid/53787/info
>> http://downloads.securityfocus.com/vulnerabilities/exploits/53787.php
>>
>> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"/uploadify/uploadify.php"; nocase; content:"Filedata"; nocase; http_client_body; classtype:web-application-attack;  reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; sid:XXXXXX; rev:2;)
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list