[Snort-sigs] CVE-2015-2795 DotNetNuke

Y M snort at ...3751...
Fri Feb 10 04:17:36 EST 2017


I am not sure if this is still relevant. The affected version in the CVE is 07.04.00, they are on 9.0.1 now. This was only sanity checked. No pcaps available.

alert tcp $EXTERNAL_NET any -> HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke administration authentication bypass attempt"; flow:to_server,established; content:"/InstallWizard.aspx?"; fast_pattern:only; http_uri; content:"__VIEWSTATE="; distance:0; http_uri; content:"&culture="; distance:0; http_uri; content:"&executeinstall"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype: attempted-admin; sid:1000823;)

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/7085ea97/attachment.html>

More information about the Snort-sigs mailing list