[Emerging-Sigs] StillSecure: 10 New Signatures - 28th Dec 2012

signatures at stillsecure.com signatures at stillsecure.com
Fri Dec 28 03:08:04 HAST 2012


Hi Matt,

Please find 10 New Signatures below:

1. ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt";
flow:established,to_server; content:"/?cmd=new_section"; nocase; http_uri;
fast_pattern; content:"section="; nocase; http_uri;
pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,1337day.com/exploit/19949; classtype:web-application-attack;
sid:13783; rev:1;)

2. ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt";
flow:established,to_server; content:"/index.php/Child_Page?"; nocase;
http_uri; content:"cmd=new_section"; nocase; http_uri; fast_pattern;
content:"section="; nocase; http_uri;
pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,1337day.com/exploit/19949; classtype:web-application-attack;
sid:13784; rev:1;)

3. ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt";
flow:established,to_server; content:"/index.php/Admin_Theme_Content?";
nocase; http_uri; content:"cmd=edittext"; nocase; http_uri; fast_pattern;
content:"key="; nocase; http_uri;
pcre:"/key\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,1337day.com/exploit/19949; classtype:web-application-attack;
sid:13785; rev:1;)

4. ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter
Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote
File Inclusion Attempt"; flow:established,to_server;
content:"/wp-content/plugins/mailz/lists/config/config.php?"; nocase;
http_uri; content:"wpabspath="; nocase; http_uri;
pcre:"/wpabspath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13786; rev:1;)

5. ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple
Buffer Overflow Attempt
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow
Attempt"; flow:to_client,established; content:"CLSID"; nocase;
content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0;
content:"InternationalSeparator"; nocase; distance:0; reference:url,
securityfocus.com/bid/47596; classtype:attempted-user; sid:13787; rev:1;)

6. ET WEB_SPECIFIC_APPS Symantec Messaging Gateway Arbitrary File Download
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Symantec Messaging Gateway Arbitrary File Download
Attempt"; flow:established,to_server;
content:"/admin/restore/download.do?"; nocase; http_uri;
content:"displayTab="; nocase; http_uri;
content:"localBackupFileSelection="; nocase; http_uri; content:"|2e 2e
2f|"; depth:200; reference:url,securityfocus.com/bid/56789/;
classtype:web-application-attack; sid:13788; rev:1;)

7. ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion
Attempt"; flow:established,to_server; content:"/pages/links.php?"; nocase;
http_uri;  content:"configpath="; nocase; http_uri;
pcre:"/configpath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13789; rev:1;)

8. ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter
Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote
File Inclusion Attempt"; flow:established,to_server;
content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase;
http_uri; fast_pattern:19,17; content:"ru_folder="; nocase; http_uri;
content:"abspath="; nocase; http_uri;
pcre:"/abspath=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13790; rev:1;)

9. ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt";
flow:established,to_server; content:"/asktheoracle.php?"; nocase; http_uri;
fast_pattern; content:"type="; nocase; http_uri; content:"oracle_query=";
nocase; http_uri;
pcre:"/oracle\_query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui";
reference:url,
packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13791; rev:1;)

10. ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion
Attempt"; flow:established,to_server;
content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; http_uri;
fast_pattern:19,9; content:"path="; nocase; http_uri; content:"|2e 2e 2f|";
depth:200; reference:url,
packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html;
classtype:web-application-attack; sid:13792; rev:1;)

Looking forward for your comments if any.

Thanks & Regards,
StillSecure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121228/95993642/attachment.html>


More information about the Emerging-sigs mailing list