Sonntag, 26. Oktober 2014

Ruleset-Update: Magento/MAGMI-Rules + MongoDB - Bypass


the following sigs are against exploiting MAGMI, a popular Magento-plugin with sever security-problems (or better:  a backdoor with 0 security at all); credits goes to bui from naxsi-team for pointing me onto it and @sonassi for finding and writing about the problemes

additional signature is a mongodb-auth-bypass; please read the referenced blogpost for more information.


the sigs has been pushed to the repo on wednesday last week already
https://bitbucket.org/lazy_dogtown/doxi-rules/



[+] new sigs:
  42000400 :: app_server.rules     :: MongoDB Negated Parameter Server Side JavaScript Injection Attempt
  42000401 :: web_apps.rules       :: Magento - MAGMI-Access (possible Scan)
  42000403 :: web_apps.rules       :: Magento - MAGMI - Plugin-Upload
  42000404 :: web_apps.rules       :: Magento - MAGMI - magmi_*.php - Access
  42000405 :: web_apps.rules       :: Magento - MAGMI - clearcatalog.php
  42000406 :: web_apps.rules       :: Magento - MAGMI - ajax_readlocalxml.php
  42000407 :: web_apps.rules       :: Magento - MAGMI - Access


#
# sid: 42000400 | date: 2014-10-20 - 14:31
#
# # et-inspired
# http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html
# https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-October/024974.html
#
MainRule "str:[$ne]" "msg:MongoDB Negated Parameter Server Side JavaScript Injection Attempt" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000400  ;

#
# sid: 42000407 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/magmi/" "msg:Magento - MAGMI - Access" "mz:URL" "s:$ATTACK:8" id:42000407  ;
    
      
#
# sid: 42000406 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/52317634845896704
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/ajax_readlocalxml.php" "msg:Magento - MAGMI - ajax_readlocalxml.php" "mz:URL" "s:$ATTACK:8" id:42000406  ;
    
      
#
# sid: 42000405 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/clearcatalog.php" "msg:Magento - MAGMI - clearcatalog.php" "mz:URL" "s:$ATTACK:8" id:42000405  ;
    
      
#
# sid: 42000404 | date: 2014-10-26 - 12:36
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "rx:/web/magmi_([a-z]*).php" "msg:Magento - MAGMI - magmi_*.php - Access" "mz:URL" "s:$ATTACK:8" id:42000404  ;
    
      
#
# sid: 42000403 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/plugin_upload.php" "msg:Magento - MAGMI - Plugin-Upload " "mz:URL" "s:$ATTACK:8" id:42000403  ;
    
      
#
# sid: 42000401 | date: 2014-10-26 - 12:37
#
# https://twitter.com/sonassi/status/523176348458967040
# http://www.exploit-db.com/exploits/35052/
#
MainRule "str:/web/magmi.php" "msg:Magento - MAGMI-Access (possible Scan)" "mz:URL" "s:$ATTACK:8" id:42000401  ;



Keine Kommentare:

Kommentar veröffentlichen