php exploit?
From: jon schatz (jon@divisionbyzero.com)Date: 02/27/02
- Previous message: 3APA3A: "Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jon schatz <jon@divisionbyzero.com> To: vuln-dev@securityfocus.com Date: 27 Feb 2002 13:56:35 -0800
from the incidents list. has there been an "official" announcement yet?
this just hit the snort-sigs list this afternoon:
From: Brian <bmc@snort.org>
Date: Tue Feb 26, 2002 04:02:22 US/Pacific
Subject: [Snort-sigs] php overflow signatures
Below are the initial signatures for the PHP overflow that is about
to
get a bunch of publication. Have fun and whatnot.
Sourceforge's CVS server is broken, so these are not yet in CVS.
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition memchr overlfow"; flags:A+;
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
classtype:web-application-attack; sid:1423; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C
EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition"; flags:A+; content:"Content-Disposition\:";
content:"form-data\;"; classtype:web-application-attack; sid:1425;
rev:1;)
-jon
-- jon@divisionbyzero.com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: 3APA3A: "Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
