Dienstag, 18. März 2014

Ruleset-Update: PHP Object Injection - Rule and some Spam-Rules

#
# sid: 42000343 | date: 2014-03-18 - 22:41 
#
# multiple vulns found lately 
# http://karmainsecurity.com/analysis-of-the-joomla-php-object-injection-vulnerability
# https://www.mare-system.de/news/secbulletin/1392018237/
# http://vagosec.org/2013/09/wordpress-php-object-injection/
# http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html
# http://www.php.net/manual/de/function.serialize.php
#
MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343  ;
      
(EDIT 2015-12-14 - included HEADERS in MZ, see http://blog.dorvakt.org/2015/12/ruleset-update-jenkins-exploits-joomla.html )


#
# sid: 42000344 | date: 2014-03-18 - 13:49 
#
# http://www.heise.de/security/meldung/Hunderte-Typo3-Webseiten-gehackt-2148372.html
#
MainRule "str:casino" "msg:Possible Casino-Spam  (casino in URL)" "mz:URL" "s:$UWA:8" id:42000344  ;
      
       

#
# sid: 42000345 | date: 2014-03-18 - 13:50 
#
# 
#
MainRule "str:roulette" "msg:Possible Casino-Spam  (roulette in URL)" "mz:URL" "s:$UWA:8" id:42000345  ;