[Snort-sigs] Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig

James Lay jlay at ...3266...
Fri Apr 24 14:16:09 EDT 2015


Pretty simple:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 
Vulnerable Magento Adminhtml Access"; flow:established,to_server; 
uricontent:"Adminhtml"; nocase; uricontent:!"|2f|admin|2f|"; nocase; 
reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; 
classtype:bad-unknown; sid:10000158; rev:1;)

Can't imagine running something like this over http...I suspect this 
will fire on scanners trying to exploit this, which might be helpful to 
someone.  Standard disclaimer of "this rule may suck please fix it" 
applies.

James




More information about the Snort-sigs mailing list