[Snort-sigs] Interest in signatures for older JRun vulnerabilities?

nnposter nnposter at ...592...
Tue May 25 09:32:21 EDT 2004


>> From: snort-sigs-admin at lists.sourceforge.net on behalf of nnposter at ...592...
>>  
>> Over time I have created several signatures for older, circa 2001,
>> vulnerabilities in Allaire JRun. Are they of any interest to the
>> community?
>
> I would be interested in seeing them.. We are hosting some VERY holdover boxes, and they might be of use ...


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun URL parser file disclosure"; flow:to_server,established; uricontent:".jsp"; nocase; content:".js%2570"; nocase; reference:url,www.macromedia.com/devnet/security/security_zone/mpsb01-15.html; classtype:web-application-attack;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun URL parser file disclosure"; flow:to_server,established; uricontent:".jsp|00|"; nocase; reference:url,www.macromedia.com/devnet/security/security_zone/mpsb01-15.html; classtype:web-application-attack;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun DATA access"; flow:to_server,established; uricontent:".jsp|3a3a|$data"; nocase; reference:bugtraq,3664; classtype:web-application-attack;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun SSI request body parsing"; flow:to_server,established; content:"<!--#include"; nocase; reference:cve,CAN-2001-0926; reference:bugtraq,3589; classtype:web-application-attack;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun META-INF file disclosure"; flow:to_server,established; uricontent:"/META-INF"; nocase; content:"//META-INF"; nocase; reference:bugtraq,3662; classtype:web-application-attack;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRun WEB-INF file disclosure"; flow:to_server,established; uricontent:"/WEB-INF"; nocase; content:"//WEB-INF"; nocase; reference:bugtraq,3662; classtype:web-application-attack;)

Cheers,
nnposter




More information about the Snort-sigs mailing list