Changed:
false positives
Suggested change to avoid false positives:
Rule
Change to:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"sql injection
attempt in WEB-PHP viewtopic.php access";
flow:to_server,established; uricontent:"viewtopic.php"; content:"_sql_";
reference:bugtraq,7979; reference:cve,2003-0486;
reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;)
GEN:SID
1:2229
Message
WEB-PHP viewtopic.php access
Rule
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
viewtopic.php access"; flow:to_server,established;
uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486;
reference:nessus,11767;
classtype:web-application-attack; sid:2229; rev:4;)
Summary
This event is generated when an attempt is made to exploit a known
vulnerability in the PHP application phpBB.
Impact
Information disclosure possibly leading to serious system compromise.
Detailed Information
Some versions of phpBB Group phpBB suffer from a vulnerability that
allows an attacker to inject SQL queries of their choosing.
This can result in the disclosure of passwords and other information
stored in the database. The data contained in the database may also be
corrupted by a malicious SQL query.
Affected Systems
phpBB Group phpBB 2.0.4, 2.0.5
Attack Scenarios
The attacker can execute one of the publicly available exploit scripts.
Ease of Attack
Simple. Exploit code exists.
False Positives
Every valid request
False Negatives None known.
If you think this rule has a false negatives, please help fill it out.
Corrective Action
Upgrade to the latest non-affected version of the software.
Contributors Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional References
Rule References bugtraq: 7979
cve: 2003-0486
nessus: 11767
HTH, Rainer
