php exploit?

[jon schatz <jon () divisionbyzero com>]

from the incidents list. has there been an "official" announcement yet?

    this just hit the snort-sigs list this afternoon:
    
    From: Brian <bmc () snort org>
    Date: Tue Feb 26, 2002  04:02:22  US/Pacific
    Subject: [Snort-sigs] php overflow signatures
    
    Below are the initial signatures for the PHP overflow that is about
    to
    get a bunch of publication.  Have fun and whatnot.
    
    Sourceforge's CVS server is broken, so these are not yet in CVS.
    
    alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
    content-disposition memchr overlfow"; flags:A+;
    content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
    classtype:web-application-attack; sid:1423; rev:1;)
    
    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL
    SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C
    EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;)
    
    alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
    content-disposition"; flags:A+; content:"Content-Disposition\:";
    content:"form-data\;"; classtype:web-application-attack; sid:1425;
    rev:1;)
    
-jon

-- 
jon () divisionbyzero com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

Attachment: signature.asc
Description: This is a digitally signed message part