alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:39:38 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:39:38 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:20:10 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:20:10 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:16:48 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_SportsClubWebPanel; sid:2008671; rev:3;)

Added 2009-10-06 14:16:48 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SportsClubWebPanel; sid:2008671; rev:2;)

Added 2009-02-25 23:30:30 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SportsClubWebPanel; sid:2008671; rev:2;)

Added 2009-02-25 23:30:30 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SportsClubWebPanel; sid:2008671; rev:2;)

Added 2009-02-25 23:27:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; reference:url,doc.emergingthreats.net/2008671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SportsClubWebPanel; sid:2008671; rev:2;)

Added 2009-02-25 23:27:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Sports Clubs Web Panel p Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?p="; nocase; pcre:"/(\.\.\/){1,}/"; classtype: web-application-attack; reference:url,www.frsirt.com/english/advisories/2008/2550; reference:url,www.milw0rm.com/exploits/6427; sid:2008671; rev:1;)

Added 2008-10-17 14:30:21 UTC

sample: (not 100% confirmed)

GET /subjects/eng/resources/ecepowerguide.htm/index.php?p=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1..
Connection: close..
Host: www.library.xxx.edu..
User-Agent: XXX<? echo "w0000t"; ?>XXX....

-- RussellFulton - 27 Nov 2008


Topic revision: r3 - 2008-11-28 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats