[Snort-sigs] three new rule for detect webCalendar multiple vuln

rmkml rmkml at ...324...
Fri Dec 2 02:39:13 EST 2005


Hi,

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebCalendar activity_log access"; content:"GET"; nocase; 
depth:3; uricontent:"/webcalendar/activity_log.php"; nocase; 
uricontent:"startid|3D|"; nocase; classtype:web-application-attack; )

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebCalendar edit_report_handler access"; content:"GET"; 
nocase; depth:3; uricontent:"/webcalendar/edit_report_handler.php"; 
nocase; uricontent:"report_name|3D|"; nocase; uricontent:"page_template|3D|"; nocase; 
classtype:web-application-attack; )

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-PHP WebCalendar layers_toggle access"; content:"GET"; nocase; 
depth:3; uricontent:"/webcalendar/layers_toggle.php"; nocase; 
uricontent:"status|3D|"; nocase; uricontent:"ret|3D|"; nocase; 
classtype:web-application-attack; )

"WebCalendar is vulnerable to four SQL Injection (files activity_log.php,
admin_handler.php, edit_template.php and export_handler.php) and one
local file overwrite (export_handler.php), input validation will fix."

http://www.ush.it/team/ascii/hack-WebCalendar/advisory.txt

Improve/comments are welcome.

Rmkml




More information about the Snort-sigs mailing list