On Wednesday, February 27, 2002, at 10:32 , Tina Bird wrote: > Presumably these are based on the info in the > exploit, and not on actual successful compromises? That's my guess - I'm not sure as I haven't verified this myself due to time constraints. There's a little discussion about a form upload vulnerability and a single hit for "exploit" at bugs.php.net. From what I found in the PHP newsgroups, it looks like setting file_uploads=0 in your php.ini file blocks this. Chris > On Tue, 26 Feb 2002, Chris Adams wrote: > >> On Tuesday, February 26, 2002, at 12:28 , Jay D. Dyson wrote: >>>> Whatever this (maybe) new bug is, it's blowing up these boxes left >>>> and >>>> right...can't figure it out. They're all relatively new 1.3'ish >>>> versions I think. >>> >>> I've heard rumblings of an Apache/PHP exploit making the rounds. >>> Any of these machines using PHP by chance? >> >> This just hit the snort-sigs list this afternoon: >> >> From: Brian <bmcat_private> >> Date: Tue Feb 26, 2002 04:02:22 US/Pacific >> Subject: [Snort-sigs] php overflow signatures >> >> Below are the initial signatures for the PHP overflow that is about to >> get a bunch of publication. Have fun and whatnot. >> >> Sourceforge's CVS server is broken, so these are not yet in CVS. >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php >> content-disposition memchr overlfow"; flags:A+; >> content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; >> classtype:web-application-attack; sid:1423; rev:1;) >> >> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL >> SHELLCODE >> x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB >> 0C|"; classtype:shellcode-detect; sid:1424; rev:1;) >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php >> content-disposition"; flags:A+; content:"Content-Disposition\:"; >> content:"form-data\;"; classtype:web-application-attack; sid:1425; >> rev:1;) >> >> >> ---------------------------------------------------------------------------- >> This list is provided by the SecurityFocus ARIS analyzer service. >> For more information on this free incident handling, management >> and tracking system please see: http://aris.securityfocus.com >> > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 18:02:23 PST