Last Updated: 2005-09-19 17:40:28 UTC
by Tom Liston (Version: 2)
This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
advisories/16820/; sid:2002366; rev:3;)
Note: This is a single line that has been broken to allow for better formatting in the diary. The "\" characters at the end of the lines above show where the line breaks have been added. Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe (who, coincidentally, ported LaBrea to Win32 before I did...) and all the folks from Bleeding Edge (you guys rock!).