[Snort-sigs] Awstats Remote Code Execution

Frank Knobbe frank at ...1978...
Tue Jan 25 10:48:01 EST 2005


On Tue, 2005-01-25 at 12:49 +0000, Chas Tomlin wrote:
> http://www.k-otik.com/exploits/20050124.awexpl.c.php
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Awstats Remote Code
> Execution Attempt"; flow: from_client; pcre:"/awstats.pl\?configdir=/i";
> classtype:web-application-attack;sid:3000621; rev:1;)
> 
> I guess it could use uricontent instead of a pcre.

That's easily done. The a previous post by Nigel.

I have committed a modified version to the Bleeding rules:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE
EXPLOIT Awstats Remote Code Execution Attempt"; flow:established,
from_client; pcre:"/awstats.pl\?configdir=/iU";
classtype:web-application-attack;sid:2001686; rev:1;)

Note the /iU at the end of the pcre. /U will match on URL decoded
strings.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050125/6d1e948d/attachment.sig>


More information about the Snort-sigs mailing list