Sourcefire VRT wrote:
100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable
Injection Attempt
Original Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt";
flow:to_server,established; uricontent:"viewimage.php?imageid="; nocase;
pcre:"/viewimage\.php\?imageid=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui";
reference:bugtraq,18270; classtype:web-application-attack;
sid:100000445; rev:1;)
Something is wrong with the pcre in this rule. It has a global OR which
uses either
viewimage\.php\?imageid=(![\d]+[\sa-zA-Z_]+)
OR
([\d]+[\sa-zA-Z_]+)
I'm not to sure what the original author was attempting to detect, but
from the references it appears an attack might look like one of these
options:
http://www.example.com/viewimage.php?imageid='
http://www.example.com/viewimage.php?imageid=<iframe%20src=http://evilsite.com/scriptlet.html>
http://www.example.com/viewalbum.php?albumid=../../../../etc/passwd/
If you would like to detect the first issue (sql injection), since it
appears to be the most serious, I recommend using this rule instead (rev:2)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY
WEB-PHP Particle Gallery Viewimage SQL Injection Attempt";
flow:to_server,established; uricontent:"/viewimage.php"; nocase;
uricontent:"imageid="; nocase; pcre:"/imageid=[^=&]*\'/Ui";
reference:bugtraq,18270; classtype:web-application-attack;
sid:100000445; rev:2;)
-Blake
--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
