[Snort-sigs] new rule for detect Multiple SQL injection vulnerabilities in DeluxeBB

rmkml rmkml at ...324...
Mon Dec 12 01:24:01 EST 2005


Hi,

please check and maybe add 5 new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB topic.php access"; content:"GET"; nocase; depth:3; 
uricontent:"/topic.php"; nocase; uricontent:"tid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; 
reference:osvdb,19404; classtype:web-application-attack; )
web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB misc.php access"; content:"GET"; nocase; depth:3; 
uricontent:"/misc.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; 
reference:osvdb,19405; classtype:web-application-attack; )
web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB pm.php access"; content:"GET"; nocase; depth:3; 
uricontent:"/pm.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; 
reference:osvdb,19407; classtype:web-application-attack; )
web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB forums.php access"; content:"GET"; nocase; depth:3; 
uricontent:"/forums.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; 
reference:osvdb,19406; classtype:web-application-attack; )
web-php.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DeluxeBB newpost.php access"; content:"GET"; nocase; 
depth:3; uricontent:"/newpost.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; 
reference:nessus,19750; reference:osvdb,19408; classtype:web-application-attack; )

"Multiple SQL injection vulnerabilities in DeluxeBB 1.0 and 1.0.5 allow
remote attackers to execute arbitrary SQL commands via the (1) tid
parameter to topic.php, the uid parameter to (2) misc.php or (3)
pm.php, or the fid parameter to (3) forums.php or (4) newpost.php."

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list