alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Wordpress admin.php Information Disclosure "; flow:to_server,established; uricontent:"wp-admin/admin.php?"; uricontent:"page="; nocase; content:"page="; nocase; depth:60; classtype:web-application-activity; reference:url,corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked; reference:url,seclists.org/bugtraq/2009/Jul/0043.html; reference:url,doc.emergingthreats.net/2009692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress; sid:2009692; rev:3;)

Added 2009-08-25 12:30:38 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Wordpress admin.php Information Disclosure "; flow:to_server,established; uricontent:"wp-admin/admin.php?"; uricontent:"page="; nocase; content:"page="; nocase; depth:60; classtype:web-application-activity; reference:url,corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked; reference:url,seclists.org/bugtraq/2009/Jul/0043.html; reference:url,doc.emergingthreats.net/2009692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress; sid:2009692; rev:3;)

Added 2009-08-25 12:30:38 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Wordpress admin.php Information Disclosure "; flow:to_server,established; uricontent:"wp-admin/admin.php?"; uricontent:"page="; nocase; content:"page="; nocase; depth:60; classtype:web-application-activity; reference:url,corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked; reference:url,seclists.org/bugtraq/2009/Jul/0043.html; reference:url,doc.emergingthreats.net/2009692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress; sid:2009692; rev:2;)

Added 2009-07-25 16:01:23 UTC

Shouldn't the destination be $HTTP_SERVERS ? We exclude proxies in HTTP_SERVERS to avoid positives on traffic destined to external web-sites.

-- DavidSchweikert - 25 Aug 2009

You're right, it should be. Making the change now. Thanks!

-- MattJonkman - 25 Aug 2009


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Wordpress admin.php Information Disclosure "; flow:to_server,established; uricontent:"wp-admin/admin.php?"; uricontent:"page="; nocase; content:"page="; nocase; depth:60; classtype:web-application-activity; reference:url,corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked; reference:url,seclists.org/bugtraq/2009/Jul/0043.html; reference:url,doc.emergingthreats.net/2009692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress; sid:2009692; rev:2;)

Added 2009-07-25 16:01:23 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Wordpress admin.php Information Disclosure "; flow:to_server,established; uricontent:"wp-admin/admin.php?"; uricontent:"page="; nocase; content:"page="; nocase; depth:60; classtype:web-application-activity; reference:url,corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked; reference:url,seclists.org/bugtraq/2009/Jul/0043.html; sid:2009692; rev:1;)

Added 2009-07-24 15:45:36 UTC


Topic revision: r3 - 2009-08-25 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats