Dienstag, 3. Dezember 2013

Ruleset-Update: Apache OGNL Vulns, PHP/WP-Scanners

[+] new sigs:
  42000335 :: app_server.rules     :: DN APP_SERVER Java poss. OGNL-Injection / ActionSupport.getText in Request-Parameters
  42000336 :: scanner.rules        :: DN SCAN Apache Roller-Scan
  42000337 :: web_server.rules     :: DN WEB_SERVER PHP-CGI-Scan
  42000338 :: scanner.rules        :: DN SCAN WP-OptimizePress - Scan
  42000339 :: scanner.rules        :: DN SCAN WP-Content Themes-Scan

#
# sid: 42000335 |  date: 2013-12-03 - 22:49:18 | maker: lazydog
# http://security.coverity.com/advisory/2013/Oct/remote-code-execution-in-apache-roller-via-ognl-injection.html
MainRule "str:actionsupport.gettext" "msg:DN APP_SERVER Java poss. OGNL-Injection / ActionSupport.getText in Request-Parameters" "mz:URL|BODY|ARGS|$HEADERS_VAR:Cookie" "s:$ATTACK:8" id:42000335 ; 

#
# sid: 42000336 |  date: 2013-12-03 - 22:49:55 | maker: lazydog
# http://www.exploit-db.com/exploits/29859/
MainRule "str:/login.rol" "msg:DN SCAN Apache Roller-Scan" "mz:URL" "s:$UWA:8" id:42000336 ; 

#
# sid: 42000337 |  date: 2013-12-03 - 22:50:13 | maker: lazydog
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
MainRule "str:/cgi-bin/php" "msg:DN WEB_SERVER PHP-CGI-Scan" "mz:URL" "s:$ATTACK:8" id:42000337 ; 


#
# sid: 42000338 |  date: 2013-12-03 - 22:50:35 | maker: lazydog
# http://www.reddit.com/r/netsec/comments/1rrftk/optimizepress_wordpress_theme_0day_found_actively/
# http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/
MainRule "str:/wp-content/uploads/optpress/" "msg:DN SCAN WP-OptimizePress - Scan" "mz:URL" "s:$UWA:8" id:42000338 ; 


#
# sid: 42000339 |  date: 2013-12-03 - 22:50:50 | maker: lazydog
MainRule "str: /wp-content/themes/" "msg:DN SCAN WP-Content Themes-Scan" "mz:URL" "s:$UWA:8" id:42000339 ;