[Snort-sigs] phpbb session exploit

Matt Jonkman matt at ...2436...
Tue Mar 8 13:12:47 EST 2005


Thanks for the sig Chas. It's posted, looks like there isn't much room for
falses.

I left it at any any -> any $HTTP_PORTS. I think it'll be most effective
that way, you'll see incoming attacks as well as any internal outward
attacks.

Matt

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Chas Tomlin
Sent: Tuesday, March 08, 2005 1:13 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] phpbb session exploit

alert tcp any any -> any 80  (msg:"BLEEDING-EDGE EXPLOIT phpbb Session
Cookie";content:"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%
3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"; nocase;
classtype:web-application-attack;sid: 1; rev:1;)

http://www.k-otik.com/exploits/20050228.phpbbsession.c.php


Chas Tomlin

Systems Programmer/Administrator
School of Electronics and Computer Science
University of Southampton



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list