[Snort-sigs] phpBB remote code execution detection rule (final)
tblackmon at ...1941...
Wed Dec 1 10:36:04 EST 2004
i got it. i see now, i went back to their site and they were able to make it
work, modified the first statement they made and released a fix for it.
guess i should pay more attention ;)
----- Original Message -----
From: "M. Shirk" <shirkdog_list at ...12...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Wednesday, December 01, 2004 12:58 PM
Subject: RE: [Snort-sigs] phpBB remote code execution detection rule (final)
> This link describes an attack that adds an admin user to any vulnerable
> phpBB forum using some of the content you described.
> The 2001457 rule is just hunting the /'.system(/ so no matter what command
> is attempted it should trigger. I tested by sending an ls command to a
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> phpBB Highlighting Remote Code Execution Attempt HowDark.com";
> flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
> uricontent:"&highlight='.system("; nocase;
> reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
> Is your PC infected? Get a FREE online computer virus scan from McAfee®
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> Incoming mail is certified Virus Free.
> Checked by AVG Anti-Virus (http://www.grisoft.com).
> Version: 7.0.279 / Virus Database: 265.4.4 - Release Date: 11/30/2004
More information about the Snort-sigs