alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:3;)
Added 2007-03-21 09:45:17 UTC
Removed the double slashes in the pcre, thanks for catching that Blake!
--
MattJonkman - 21 Mar 2007
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\/\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:2;)
Added 2007-03-20 19:20:27 UTC
There needs to be a single '/' detection when using the uri buffers.
http_inspect normalizes multiple '//' characters.
--
BlakeHartstein - 21 Mar 2007
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"redirect_to=(ht|f)tps?\://"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:1;)
Added 2007-03-20 16:06:59 UTC
For more info see this Bugtraq post:
http://www.securityfocus.com/archive/1/463291
--
VictorJ - 20 Mar 2007
Main Web
Main Web
Create New Topic
Index
Search
Changes
Preferences
