[Snort-sigs] phpBB remote code execution detection rule (final)

M. Shirk shirkdog_list at ...12...
Wed Dec 1 10:00:11 EST 2004


This link describes an attack that adds an admin user to any vulnerable 
phpBB forum using some of the content you described.
http://www.securiteam.com/unixfocus/6Z00R2ABPY.html

The 2001457 rule is just hunting the /'.system(/ so no matter what command 
is attempted it should trigger. I tested by sending an ls command to a 
forum:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
phpBB Highlighting Remote Code Execution Attempt HowDark.com"; 
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
uricontent:"&highlight='.system("; nocase; 
reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)


Shirkdog
http://www.shirkdog.us

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee� 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





More information about the Snort-sigs mailing list