[Snort-sigs] FP on 31977?

Dave Killion dave.killion at ...2420...
Mon Mar 16 12:13:06 EDT 2015


That is the most horrible web-app I've seen in a long, long time.

I wonder how susceptible it is to cross-site scripting... :)

-Dave

On Mon, Mar 16, 2015 at 7:26 AM Weir, Jason <jason.weir at ...3410...> wrote:

>  Getting hits on 31977 via the GET below – I believe they are false.
>
>
>
> GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones
> Obituary&String=r. Memorial Home, Franklin-Tilton Road, 584 West Main St.,
> in Tilton. Deb's family requests that those wishing, may make contributions
> in her name to ;(function() { var adKeyValue = 't=';
> adKeyValue                += escape('clio=MAW'); adKeyValue +=
> escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The
> Make-A-Wish Foundation'); adKeyValue += escape('&linkurl=
> http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl'); adKeyValue
> += escape('&fn=Debra'); adKeyValue += escape('&ln=Jones'); var adClkUrl = '
> http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&'
> + adKeyValue + '&sz=1x1&c=537810296'; var adImpUrl = '
> http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&'
> + adKeyValue + '&sz=1x1&c=537810296'; document.write(" The Make-A-Wish
> Foundation "); }()); The Make-A-Wish Foundation of New Hampshire, 814 Elm
> St., Suite 300, Manchester, NH 03101. For more information go to
> smartfuneralhome.com.&location=
> http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat
> Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1
>
>
>
> Looks like the function() { is what is triggering the rule.
>
>
>
> Current rule
>
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
> CGI environment variable injection attempt"; flow:to_server,established;
> content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
> drop, policy security-ips drop, ruleset community, service http;
> reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
> reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;)
>
>
>
> Will adding content:!” function() “ break things?
>
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
> CGI environment variable injection attempt"; flow:to_server,established;
> content:!” function() “; content:"() {"; fast_pattern:only; http_uri;
> metadata:policy balanced-ips drop, policy security-ips drop, ruleset
> community, service http; reference:cve,2014-6271; reference:cve,2014-6277;
> reference:cve,2014-6278; reference:cve,2014-7169;
> classtype:attempted-admin; sid:31977; rev:5;)
>
>
>
> Jason
>
>
>  ------------------------------------------------------------
> ------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150316/2346c0da/attachment.html>


More information about the Snort-sigs mailing list