[Snort-sigs] phpBB remote code execution detection rule (final)

Tony Blackmon tblackmon at ...1941...
Wed Dec 1 10:36:04 EST 2004


i got it. i see now, i went back to their site and they were able to make it 
work, modified the first statement they made and released a fix for it.

guess i should pay more attention ;)
----- Original Message ----- 
From: "M. Shirk" <shirkdog_list at ...12...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Wednesday, December 01, 2004 12:58 PM
Subject: RE: [Snort-sigs] phpBB remote code execution detection rule (final)


> This link describes an attack that adds an admin user to any vulnerable 
> phpBB forum using some of the content you described.
> http://www.securiteam.com/unixfocus/6Z00R2ABPY.html
>
> The 2001457 rule is just hunting the /'.system(/ so no matter what command 
> is attempted it should trigger. I tested by sending an ls command to a 
> forum:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
> phpBB Highlighting Remote Code Execution Attempt HowDark.com"; 
> flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase; 
> uricontent:"&highlight='.system("; nocase; 
> reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
>
>
> Shirkdog
> http://www.shirkdog.us
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee® 
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> -- 
> Incoming mail is certified Virus Free.
> Checked by AVG Anti-Virus (http://www.grisoft.com).
> Version: 7.0.279 / Virus Database: 265.4.4 - Release Date: 11/30/2004
>
> 





More information about the Snort-sigs mailing list