<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Also posting these, sorry for the delay. Thanks!!<div><br></div><div>Matt</div><div><br><div><div>On Oct 15, 2010, at 6:28 AM, signatures wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div>
<!-- Converted from text/plain format --><p><font size="2">Hi Matt,<br>
<br>
Please find 10 New Signatures below:<br>
<br>
1. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt">packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt</a>; sid:20101062; rev:1;)<br>
<br>
2. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt">packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt</a>; sid:20101063; rev:1;)<br>
<br>
3. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt">packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt</a>; sid:20101064; rev:1;)<br>
<br>
4. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt">packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt</a>; sid:20101065; rev:1;)<br>
<br>
5. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt">packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt</a>; sid:20101066; rev:1;)<br>
<br>
6. WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/baconmap/admin/updatelist.php?"; nocase; uricontent:"filepath="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt">packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt</a>; sid:20101069; rev:1;)<br>
<br>
7. WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/com_rwcards/rwcards.advancedate.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,<a href="http://packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt">packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt</a>; sid:20101061; rev:1;)<br>
<br>
8. WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/html/11-login.asp?"; nocase; uricontent:"intPassedLocationID="; nocase; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,43865; sid:20101058; rev:1;)<br>
<br>
9. WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"uniqcode=KPI"; nocase; uricontent:"menu_no_top=performance"; nocase; uricontent:"uri="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,<a href="http://exploit-db.com/exploits/15232">exploit-db.com/exploits/15232</a>; sid:20101056; rev:1;)<br>
<br>
10. WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt<br>
alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/real_estate/index.php?"; nocase; uricontent:"option=com_jomestate"; nocase; uricontent:"task="; nocase; pcre:"/task=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,<a href="http://inj3ct0r.com/exploits/12835">inj3ct0r.com/exploits/12835</a>; sid:11501; rev:1;)<br>
<br>
Looking forward your comments, if any.<br>
<br>
Thanks &amp; Regards,<br>
StillSecure<br>
<br>
</font>
</p>

</div>
<br>_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards<br>http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html</blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br>----------------------------------------------------<br>Matthew Jonkman</div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><a href="http://Emergingthreats.net">Emergingthreats.net</a><br>Emerging Threats Pro<br>Open Information Security Foundation&nbsp;(OISF)<br>Phone 765-807-8630<br>Fax 312-264-0205<br><a href="http://www.emergingthreatspro.com">http://www.emergingthreatspro.com</a><br>http://www.openinfosecfoundation.org<br>----------------------------------------------------<br><br>PGP:&nbsp;http://www.jonkmans.com/mattjonkman.asc<br><br><br></div></span></div></span></div></span></span>
</div>
<br></div></body></html>