alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:11;)

Added 2017-05-05 16:58:50 UTC


alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; metadata: former_category WEB_SERVER; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:11;)

Added 2017-05-03 17:35:07 UTC


alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:11;)

Added 2017-05-01 16:57:58 UTC


alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:10;)

Added 2017-04-28 17:24:32 UTC


alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:10;)

Added 2015-02-04 17:38:29 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:10;)

Added 2011-10-12 19:28:38 UTC

Please add in the msg that it is about .php~ specifically so it's clear it is not just matching any URI with a ~ in it. (For example: domain.tld/~username/index.php) We automatically generate abuse mails from the logs where this message appears and it looks rather spurious for the receiving party without this information.

-- CoolFire - 2015-02-03

Thanks, we'll get the msg fixed up today.

-- DarienH - 2015-02-04


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php~"; nocase; http_uri; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; sid:2009955; rev:10;)

Added 2011-09-14 22:41:55 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php~"; nocase; http_uri; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:10;)

Added 2011-02-04 17:29:23 UTC

False Positive on yahoo slurp bot:

[**] [1:2009955:10] ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability [**] [Classification: Web Application Attack] [Priority: 1] 03/07-10:40:29.344913 67.195.114.243:47034 -> 38.119.100.163:80 TCP TTL:50 TOS:0x0 ID:3851 IpLen?:20 DgmLen?:419 DF **AP** Seq: 0x65AA3EFB Ack: 0x4F99D564 Win: 0x17 TcpLen?: 32 TCP Options (3) => NOP NOP TS: 920007282 0 [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure][Xref => http://doc.emergingthreats.net/2009955][Xref => http://seclists.org/fulldisclosure/2009/Sep/0321.html]

10:50:05.220512 IP 67.195.114.243.50873 > x.80: Flags [P.], seq 2440992321:2440992688, ack 325553844, win 23, options [nop,nop,TS val 574971618 ecr 0], length 367 E....(@.2.=\C.r.&wd....P.~.A.g............. "E^.....GET /gtgm/login.php~ HTTP/1.0 Host: www.xyz.com User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

10:40:29.344913 IP 67.195.114.243.47034 > x.80: Flags [P.], seq 1705656059:1705656426, ack 1335481700, win 23, options [nop,nop,TS val 920007282 ecr 0], length 367 E.....@.2..yC.r.&wd....Pe.>.O..d........... 6.2r....GET /gtgm/login.php~ HTTP/1.0 Host: www.xyz.com User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

-- XyLog - 07 Mar 2011


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:9;)

Added 2010-06-09 20:41:08 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:9;)

Added 2010-06-09 20:41:08 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:7;)

Added 2010-02-17 10:45:53 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:7;)

Added 2010-02-17 10:45:53 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:6;)

Added 2009-10-06 14:19:04 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Tilde_Disclosure; sid:2009955; rev:6;)

Added 2009-10-06 14:19:04 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Tilde_Disclosure; sid:2009955; rev:4;)

Added 2009-09-23 20:04:26 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Tilde_Disclosure; sid:2009955; rev:4;)

Added 2009-09-23 20:04:26 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Tilde_Disclosure; sid:2009955; rev:4;)

Added 2009-09-23 20:00:38 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Tilde_Disclosure; sid:2009955; rev:4;)

Added 2009-09-23 20:00:38 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; sid:2009955; rev:3;)

Added 2009-09-23 16:45:43 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; sid:2009955; rev:3;)

Added 2009-09-23 16:45:43 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; flowbits:noalert; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; sid:2009955; rev:2;)

Added 2009-09-23 16:00:39 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppyadmin; flowbits:noalert; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; sid:2009955; rev:2;)

Added 2009-09-23 16:00:39 UTC


alert tcp any 1024: -> $HOME_NET $HTTP_PORTS (msg:"ET WEB Tilde in URI, potential .php source disclosure vulnerability"; flow:established,to_server; flowbits:set,et.tilde.sloppy.admin; flowbits:noalert; content:"GET "; depth:4; nocase; uricontent:".php~"; nocase; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; sid:2009955; rev:1;)

Added 2009-09-23 14:16:06 UTC


Topic revision: r4 - 2015-02-04 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats