[Snort-sigs] phpBB remote code execution detection rule (final)

Federico Petronio petrus at ...2312...
Wed Dec 1 06:38:11 EST 2004


Hello, this rule is intended to detect the recently discovered remote
code execution bug, it is similar to rule 2001457, but there is some 
attacks I tested that that rule does not detect and this one does (p.e. 
viewtopic.php?t=2&highlight=%2527%252esystem(chr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(101)%252echr(116)%252echr(99)%252echr(47)%252echr(104)%252echr(111)%252echr(115)%252echr(116)%252echr(115))%252e%2527))

Rule:

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"phpBB <=
2.0.10 Remote code execution"; content:"/viewtopic.php?"; content:"t=";
content:"highlight="; content:"system";
reference:url,secunia.com/advisories/13239;
classtype:web-application-attack; sid:100100; rev:1;)

Reference:
	http://secunia.com/advisories/13239

Thanks...
-- 
                                         Federico Petronio
                                         petrus at ...2312...










More information about the Snort-sigs mailing list