[Snort-sigs] New sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection

rmkml rmkml at ...4129...
Sun Apr 16 16:53:02 EDT 2017


Hi,

Please check a new sig for detecting BlueCoat CAS v1.3.7.1 Report Email Command Injection:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 (msg:"WEB-MISC BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established;
content:"POST"; nocase; http_method; content:"/report-email/send"; nocase;
http_uri; content:"/dev-report-overview.html"; nocase; http_client_body;
content:"|3B|"; http_client_body; distance:0;
pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/Pi"; reference:cve,2016-9091;
reference:url,www.exploit-db.com/exploits/41785/;
reference:url,bto.bluecoat.com/security-advisory/sa138;
classtype:web-application-attack; sid:1; rev:1;)

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list