Snort mailing list archives
Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 24 Apr 2015 12:16:09 -0600
Pretty simple: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vulnerable Magento Adminhtml Access"; flow:established,to_server; uricontent:"Adminhtml"; nocase; uricontent:!"|2f|admin|2f|"; nocase; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:bad-unknown; sid:10000158; rev:1;) Can't imagine running something like this over http...I suspect this will fire on scanners trying to exploit this, which might be helpful to someone. Standard disclaimer of "this rule may suck please fix it" applies. James ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig James Lay (Apr 24)
- Re: Magento CVE-2015-1397, CVE-2015-1398, CVE-2015-1399 Sig Matt Mickel (May 14)