Update Details

Update #3126 (12/19/2018)

2 new signatures:

HIGH	HTTP:SQL:INJ:CVE-2018-9088-RCE	HTTP: Zoho ManageEngine OpManager OpManagerFailoverUtil customerName SQL Injection
HIGH	HTTP:MICROSOFT-CVE-2018-8582-IO	HTTP: Microsoft Outlook RWZ Integer Overflow Remote Code Execution

534 updated signatures:

HIGH	HTTP:STC:DL:XLS-MERGECELLS-OF	HTTP: Microsoft Excel MergeCells Record Heap Overflow
HIGH	HTTP:IIS:NSIISLOG-CHUNKED-POST	HTTP: Chunked POST Request to nsiislog.dll
HIGH	HTTP:STC:REPRISE-PARAM-PARSE-BO	HTTP: Reprise License Manager HTTP Parameter Parsing Buffer Overflow
HIGH	HTTP:PHP:PHP-CGI-CMD-LINE-RCE	HTTP: PHP 'php-cgi' Command Line Attribute Remote Code Execution
HIGH	APP:CLAMAV-UPX-OF-HTTP	APP: ClamAV UPX File Handling Buffer Overflow (HTTP)
HIGH	HTTP:STC:DL:XBM-BO	HTTP: Firefox XBM Image Processing Buffer Overflow
HIGH	HTTP:ORACLE:GLASSFISH-MUL-XSS	HTTP: Oracle GlassFish Enterprise Server Multiple Stored Cross Site Scripting
MEDIUM	HTTP:IIS:PROPFIND	HTTP: IIS Malformed PROPFIND Remote DoS
HIGH	HTTP:HPE-INT-MGMT-INJ	HTTP: HPE Intelligent Management Center ictExpertDownload Expression Language Injection
HIGH	HTTP:CGI:ANYFORM-SEMICOLON	HTTP: Anyform Semicolon
INFO	VOIP:SKYPE:VERSION-CHECK	SKYPE: Client Version Check
MEDIUM	HTTP:MISC:MOBY-LENGTH-DOS	HTTP: Moby Malformed Content-Length DoS
MEDIUM	HTTP:CGI:LIBCGI-RFP-OVERWRITE	HTTP: LIB CGI Remote Frame Pointer Overwrite
INFO	P2P:BITTORRENT:TRACKER-QUERY	P2P: BitTorrent Tracker Query
HIGH	HTTP:STC:DL:MAL-WRI	HTTP: Microsoft WordPad Malicious File
INFO	HTTP:HOTMAIL:FILE-DOWNLOAD	HTTP: MSN Hotmail File Download
INFO	HTTP:HOTMAIL:ZIP-DOWNLOAD	HTTP: MSN Hotmail Compressed File Extension Download
HIGH	HTTP:STC:DL:VISIO-BOF	HTTP: Malformed Microsoft Office Visio File
MEDIUM	HTTP:XSS:SYMANTEC-WG	HTTP: Symantec Web Gateway Cross Site Scripting
HIGH	HTTP:STC:JAVA:RUNTIME-ENV-BO	HTTP: Sun Java RunTime Environment Buffer Overflow
LOW	FTP:USER:ACFTP-BAD-LOGIN	FTP: acFTP Invalid Login Issue
HIGH	HTTP:STC:DL:WORD-CLSID	HTTP: Microsoft Word Dangerous Embedded ClassID
HIGH	HTTP:STC:DL:ACDSEE-XBM-WIDTH	HTTP: ACD Systems ACDSee Products XBM File Handling Buffer Overflow
HIGH	HTTP:IIS:MDAC-RDS	HTTP: Microsoft IIS MDAC Remote Data Services Component Access
HIGH	HTTP:IIS:JET-DB-VBA-REMOTE-EXEC	HTTP: IIS JET Database Engine VBA Remote Execution
HIGH	HTTP:OVERFLOW:MULTIPLE-PRODUCTS	HTTP: Multiple Products Buffer Overflow
MEDIUM	HTTP:APACHE:AXIS-SOAP-DOS	HTTP: Apache Axis Multiple Vendor SOAP Arrays Denial of Service
MEDIUM	HTTP:PHP:PHPNUKE:SID-SQL-INJECT	HTTP: PHP-Nuke Modules.php SID Parameter SQL Injection
MEDIUM	HTTP:SQL:INJ:MULTI-VENDORS-1	HTTP: Multiple Vendors SQL Injection Detected (1)
MEDIUM	HTTP:SQL:INJ:MULTI-VENDORS-2	HTTP: Multiple Vendors SQL Injection Detected (2)
MEDIUM	HTTP:MISC:MUL-VEND-IMPRO-ACCESS	HTTP: Multiple Vendors Unauthorized Access Vulnerability
MEDIUM	HTTP:MISC:PRDCTS-COMMAND-EXEC	HTTP: Multiple Products Remote Command Execution
HIGH	HTTP:STC:M3U-VLC-SMB-LINK	HTTP: VideoLAN VLC Media Player SMB Link Buffer Overflow
HIGH	HTTP:STC:STREAM:QT-DESC-ATOM	HTTP: Apple QuickTime Image Descriptor Atom Parsing Memory Corruption
CRITICAL	APP:JBOSS-JMX-AUTH-BYPASS	APP: RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass
CRITICAL	TROJAN:PITTY-TIGER-ACTIVITY	TROJAN: Pitty Tiger Trojan C&C Activity Detected
HIGH	HTTP:STC:IE:HDRLOC-MSITS	HTTP: Internet Explorer Arbitrary Code Execution
HIGH	HTTP:STC:IMG:EXE-IN-IMAGE	HTTP: Executable Binary Disguised as Image
LOW	HTTP:APACHE:WEBDAV-PROPFIND	HTTP: Apache WebDav PROPFIND Directory Disclosure
HIGH	HTTP:STC:SAFARI:WEBKIT-1ST-LTR	HTTP: Apple Safari Webkit Button First-Letter Style Rendering Code Execution
HIGH	HTTP:XSS:SHAREPOINT-USER	HTTP: Microsoft Sharepoint User XSS
MEDIUM	HTTP:NETGEAR:DG834G-DEBUG-MODE	HTTP: Netgear DG834G Wireless Router Debug Mode Command
HIGH	HTTP:STC:DL:PPT-TXMASTERSTYLE	HTTP: Microsoft Powerpoint TxMasterStyle10Atom Processing Code Execution
HIGH	HTTP:STC:DL:XL-CVE-2013-1315	HTTP: Microsoft Excel CVE-2013-1315 Memory Corruption
LOW	HTTP:SQL:INJ:OSCOM	HTTP: osCommerce products_id Parameter SQL Injection
LOW	SPYWARE:AD:IZITOTOOLBAR	SPYWARE: iZito Toolbar
LOW	HTTP:PHP:PHPNUKE:VIEWADMIN	HTTP: PHP-Nuke ViewAdmin Page Unauthorized Access
LOW	HTTP:PHP:PHPNUKE:DELADMIN	HTTP: PHP-Nuke DelAdmin Page Unauthorized Access
HIGH	HTTP:CGI:AXIS-EXEC	HTTP: Axis Video Server Remote Command Execution
CRITICAL	HTTP:CGI:AXIS-ACCOUNT	HTTP: Axis Video Server Remote Account Addition
MEDIUM	HTTP:MISC:WAPP-PARAM-SEC3	HTTP: Multiple Web Application Parameter Tampering 3
CRITICAL	TROJAN:MS-04-028:BACKDOOR-LOGIN	TROJAN: MS04-028-Vector Backdoor FTP Login
MEDIUM	SMTP:OUTLOOK:VEVENT-MEMCORRUPT	SMTP: Microsoft Outlook iCal Meeting Request VEVENT Record Memory Corruption
HIGH	HTTP:STC:DL:APPLE-DMG-VOLNAME	HTTP: Apple Computer Finder DMG Volume Name Memory Corruption
MEDIUM	HTTP:PKG:NAI-PGP-ADMIN-ACCESS-1	HTTP: NAI PGP Keyserver Web Admin Access (1)
HIGH	HTTP:APACHE:MODPHP-UPLOAD-HOF	HTTP: Apache mod_php php_mime_split Heap Overflow
HIGH	HTTP:STC:DL:WIN-GDI-METAFILE	HTTP: Microsoft Windows GDI Metafile Image Handling Heap Overflow
INFO	SCAN:CORE:IIS-ASP-CHUNKED	SCAN: Core Impact IIS ASP Chunked Exploit
MEDIUM	HTTP:IIS:IIS-HTR-CHUNKED	HTTP: IIS HTR/ASP Chunked Encoding Vulnerability
HIGH	SSL:VULN:CVE-2015-0208-DOS	SSL: OpenSSL Invalid PSS Parameters Denial of Service
LOW	HTTP:XSS:MAILMAN-ADMIN	HTTP: Mailman Admin Interface Cross-Site Scripting
LOW	HTTP:XSS:MAILMAN-OPTIONS	HTTP: Mailman "options.py" Cross-Site Scripting
HIGH	SMTP:MAL:LOTUS-APPLIX	SMTP: IBM Lotus Notes Applix Graphics Parsing Buffer Overflow
CRITICAL	SMB:EXPLOIT:LLS-NAME	SMB: License Logging Service Vulnerability
HIGH	APP:HPOV:OVWEBSNMPSRV-OF	APP: HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Buffer Overflow
HIGH	SMB:MS-RAP-STACK-OV	SMB: Microsoft Remote Administration Protocol Stack Overflow
HIGH	TROJAN:CAPFIRE4-CNC	TROJAN: Capfire4 Command and Control Traffic
MEDIUM	HTTP:CGI:CDOMAINFREE-RMT-EXEC	HTTP: CDomainFree Remote Execution
CRITICAL	SMB:EXPLOIT:SMB1-CHAINING-MC	SMB: Samba SMB1 Packets Chaining Memory Corruption
HIGH	HTTP:STC:DL:WORD-SECTION-OF	HTTP: Microsoft Word Section Table Array Buffer Overflow
HIGH	HTTP:STC:DL:OO-OLE	HTTP: OpenOffice OLE File Stream Buffer Overflow
HIGH	HTTP:OWA:LOGIN-REDIR	HTTP: Outlook Web Access Login Redirection
HIGH	HTTP:STC:DL:MSPUBLISHER-OBJ	HTTP: Microsoft Publisher Object Handler Validation Code Execution
HIGH	WORM:DISTTRACK-PROPAGATION	WORM: DistTrack Propagation Execution of Dropped File
LOW	SPYWARE:AD:CASINOONNET	SPYWARE: CasinoOnNet
LOW	SPYWARE:BH:ABOUTBLANK	SPYWARE: CoolWebSearch AboutBlank Variant
HIGH	APP:VMWARE-VCENTER-CHARGEBACK	APP: VMWare VCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload
HIGH	HTTP:STC:DL:XLS-MBOF	HTTP: Microsoft Excel Multiple Buffer Overflow
HIGH	HTTP:STC:DL:MS-DOC-STREAM-CE	HTTP: Microsoft Word Document Stream Handling Code Execution
LOW	SPYWARE:AD:BLOWSEARCH	SPYWARE: Blowsearch
HIGH	HTTP:STC:DL:QT-UDTA-ATOM	HTTP: Apple QuickTime 'udta' Atom Parsing Heap Overflow Vulnerability
HIGH	HTTP:PHP:PINEAPP-LIVELOG-RCE	HTTP: PineApp Mail-SeCure Livelog.html Command Injection
MEDIUM	HTTP:PHP:PHPNUKE:QR-SQL-INJECT	HTTP: PHP-Nuke Modules.php QUERY Parameter SQL Injection
HIGH	APP:HP-SITESCOPE-CMD-INJ	APP: HP SiteScope runOMAgentCommand Command Injection
CRITICAL	IMAP:OVERFLOW:MERCUR-NTLMSSP	IMAP: Atrium Software MERCUR IMAPD NTLMSSP Command Handling Memory Corruption
LOW	SPYWARE:AD:WHENU-CLOCKSYNC	SPYWARE: Whenu.clocksync
HIGH	HTTP:STC:DL:ZIP-FOR-MEDIA	HTTP: Compressed File Downloaded for Media File Requested
HIGH	HTTP:OVERFLOW:MICROFOCUS-PST-OF	HTTP: Micro Focus GroupWise Post Office Agent Integer Overflow
MEDIUM	SPYWARE:AD:IST-ISTBAR	SPYWARE: IST.ISTbar
LOW	SPYWARE:AD:MAPQUEST-TOOLBAR	SPYWARE: MapQuest Toolbar
MEDIUM	VOIP:SIP:DIGIUM-ASTERISK-DOS	VOIP: Digium Asterisk SIP Terminated Channel ACK with SDP Denial of Service
HIGH	HTTP:STC:DL:ACDSEE-XPM-COLOR	HTTP: ACD Systems ACDSee Products XPM File Colors Parameter Buffer Overflow
LOW	SPYWARE:AD:CUSTOMTOOLBAR	SPYWARE: Custom Toolbar
MEDIUM	HTTP:SUN-GLASSFISH-AUTH-BP	HTTP: Sun Goldfish AUthentication Bypass
LOW	SPYWARE:AD:SEARCHITBAR	SPYWARE: SearchitBar
HIGH	TROJAN:THE-RAT	Trojan: The Rat Update Protocol Request
HIGH	APP:HPOV:SNMPVIEWER-APP-OF	APP: HP OpenView NNM snmpviewer.exe App Parameter Stack Buffer Overflow
HIGH	APP:HPOV:DEMANDPOLL-FMT-STR	APP: HP OpenView Network Node Manager ovet_demandpoll.exe Format String Code Execution
MEDIUM	SPYWARE:BH:ISTSLOTCHBAR	SPYWARE: IST-Slotchbar
LOW	SPYWARE:AD:WHENUWEATHERCAST	SPYWARE: WhenU-Weathercast
HIGH	HTTP:PHP:PHP-CAL-FILE-INC	HTTP: PHP-Calendar File Include Vulnerability
MEDIUM	SPYWARE:KL:CODENAMEALVIN	SPYWARE: Codename Alvin
HIGH	HTTP:YOUNGZSOFT-MAILCOM-BO	HTTP: Youngzsoft CMailServer CMailCOM ActiveX Control Buffer Overflow
HIGH	HTTP:STC:DL:ASF-SR	HTTP: ASF Sample Rate Code Execution
HIGH	APP:SITEMINDER-AUTH-REDIR	APP: Netegrity Siteminder Authentication Redirection
HIGH	HTTP:ROBOHELP-SQL-INJ	HTTP: Adobe RoboHelp Server SQL Injection Vulnerability
HIGH	CHAT:MSN:PIDGIN-MSN-IO	CHAT: Pidgin MSN MSNP2P Message Integer Overflow
LOW	SPYWARE:AD:KEENVALUE	SPYWARE: KeenValue
MEDIUM	HTTP:XSS:MERCURY-BOARD	HTTP: MercuryBoard PM Tile Injection
HIGH	HTTP:STC:DL:ISPVM-SYS-XCF-BOF	HTTP: ispVM System xcf File Buffer Overflow
HIGH	HTTP:STC:IE:HFS-CVE-2014-6332	HTTP: Possible EK HFS CVE-2014-6332 Attempt
LOW	SPYWARE:AD:BARGAINBUDDY	SPYWARE: BargainBuddy
LOW	SPYWARE:BH:DAOSEARCH	SPYWARE: DaoSearch
HIGH	APP:ORACLE:BUSINESS-FLSHSVC-RCE	APP: Oracle Business Transaction Management Server FlashTunnelService Remote Code Execution
LOW	SPYWARE:AD:ZAPSPOT	SPYWARE: ZapSpot
LOW	SPYWARE:BH:COUPONBAR	SPYWARE: CouponBar
MEDIUM	HTTP:SQLINJ-VAR-PRODUCTS	HTTP: SQL Injection Detection
LOW	SPYWARE:BH:BLAZEFIND	SPYWARE: BlazeFind
HIGH	SPYWARE:TROJAN:HATREDFIEND	SPYWARE: HatredFiend
HIGH	SPYWARE:KL:007SPYSOFTWARE-SMTP	SPYWARE: 007 Spy Software (SMTP)
HIGH	SPYWARE:KL:007SPYSOFTWARE-FTP	SPYWARE: 007 Spy Software (FTP)
HIGH	HTTP:STC:DL:PPT-VIEWER-MEMALLOC	HTTP: Microsoft PowerPoint Viewer Memory Allocation Code Execution
MEDIUM	SPYWARE:KL:NETTRACK-SPY	SPYWARE: Nettrack-Spy
LOW	SPYWARE:AD:SPYWARENUKER	SPYWARE: SpyWareNuker
HIGH	SPYWARE:KL:ELITEKEYLOGGER	SPYWARE: EliteKeylogger
MEDIUM	HTTP:XSS:SUBRION-CMS	HTTP: Subrion CMS Cross Site Scripting
LOW	SPYWARE:BH:STUMBLEUPON	SPYWARE: StumbleUpon
HIGH	HTTP:STC:DL:MS-PUBLISHER-MC	HTTP: Microsoft Office Publisher Memory Corruption
LOW	SPYWARE:AD:HOTBOTDESKBAR	SPYWARE: HotBot Quick Search Deskbar
MEDIUM	SPYWARE:KL:CAM2FTP	SPYWARE: Cam2ftp
MEDIUM	DOS:NETDEV:WEBJET-FRAMEWORK	DOS: HP Web JetAdmin Framework Disclosure
LOW	SPYWARE:BH:CNSMIN-3721	SPYWARE: CnsMin-3721
LOW	SPYWARE:AD:EZULA-TOPTEXT	SPYWARE: EZula-TopText
LOW	SPYWARE:AD:TRELLIANTOOLBAR	SPYWARE: TrellianToolbar
LOW	SPYWARE:AD:ESYNDICATE	SPYWARE: eSyndicate
INFO	SPYWARE:AD:ALTAVISTATOOLBAR	SPYWARE: AltaVistaToolbar
LOW	SPYWARE:AD:STARWARETOOLBAR	SPYWARE: Starware Toolbar
HIGH	APP:HP-PROCRVE-MANAGER-CE	APP: HP ProCurve Manager EJBInvokerServlet or JMXInvokerServlet Remote Code Execution
LOW	SPYWARE:AD:MIDADDLE	SPYWARE: MidAddle
MEDIUM	DNS:TUNNEL:SHORT-TTL	DNS: Short Time To Live Response
HIGH	HTTP:MISC:DLINK-INFOCGI-BO	HTTP: D-Link info.cgi POST Request Buffer Overflow
HIGH	HTTP:MISC:APSTRUTS-DEV-EXEC	HTTP: Apache Struts 2 Developer Mode OGNL Execution
LOW	SPYWARE:AD:GABESTMEDIAPLAYER	SPYWARE: Gabest Media Player Classic
HIGH	HTTP:MISC:ES-GROOVY-CODEEXEC	HTTP: ElasticSearch Search Groovy Sandbox Bypass
HIGH	HTTP:STC:DL:XLS-RTWINDOW	HTTP: Microsoft Excel rtWindow1 Record Handling Code Execution
HIGH	HTTP:STC:DL:MS-WMF-PARSE	HTTP: Microsoft Windows Graphics Rendering Engine WMF Parsing Buffer Overflow
HIGH	SPYWARE:KL:SPYOUTSIDE-SMTP	SPYWARE: Spyoutside (smtp)
MEDIUM	HTTP:PHP:PHPNUKE:BOOKMARK-SQL	HTTP: PhpNuke SQL Injection via Bookmark
MEDIUM	HTTP:XSS:PHPNUKE-BOOKMARKS	HTTP: PHP-Nuke Cross Site Script Attack via Bookmark
MEDIUM	HTTP:MISC:BEETEL-TC1-450-CSRF	HTTP: Beetel TC1-450 Wireless Router Cross Site Request Forgery
CRITICAL	SPYWARE:RAT:THEEF-2.0-CGI	SPYWARE: Theef 2.0 CGI Notification
HIGH	HTTP:CGI:SUPERMICRO-BOF	HTTP: Supermicro Onboard IPMI close_window.cgi Buffer Overflow
CRITICAL	SPYWARE:RAT:ROACH10-INITIALRESP	SPYWARE: Roach1-0 Initial Server Response
LOW	SPYWARE:AD:EARTHLINKTOOLBAR	SPYWARE: Earthlink Toolbar
CRITICAL	SPYWARE:RAT:AIR	SPYWARE: Air
HIGH	TROJAN:OLDBAIT-CHOSTICK-CHECKIN	TROJAN: OLDBAIT And Chopstick Checkin
MEDIUM	HTTP:PHP:PHPBB:DL-SQL-INJ	HTTP: phpBB Download Module SQL Injection
MEDIUM	HTTP:CISCO:NET-FILE-UPLOAD	HTTP: Cisco Prime Data Center Network Manager Arbitrary File Upload
CRITICAL	SPYWARE:TROJAN:HELIOS-ICQNOTIFY	SPYWARE: HelioS3.1 ICQ Notification
INFO	HTTP:PHP:BZOPEN-OF	HTTP: PHP BZOPEN Function Overflow
MEDIUM	HTTP:PHP:GLOBALS-INJ	HTTP: PHP GLOBALS Variable Overwrite
LOW	VIRUS:POP3:SOBER-K	VIRUS: Sober.K in POP3 Traffic
HIGH	HTTP:STC:DL:CRYSTAL-RPT-OLE	HTTP: Microsoft Visual Studio Crystal Reports RPT File Handling Code Execution
CRITICAL	SPYWARE:RAT:FEAR2-0	SPYWARE: Fear2-0
CRITICAL	SPYWARE:RAT:ANALRAPE-ICQ-NOTIFY	SPYWARE: Anal Rape 1.0 ICQ Notification
LOW	SPYWARE:GM:TWISTER	SPYWARE: Twister
HIGH	APP:HPOV:NNM-LOGIN-BOF	APP: HP OpenView Network Node Manager ovsessionmgr.exe Buffer Overflow
CRITICAL	SPYWARE:RAT:ANALFTP	SPYWARE: AnalFTP
CRITICAL	SPYWARE:RAT:MINIOBLIVION	SPYWARE: MiniOblivion
HIGH	HTTP:STC:DL:XLS-MDXTUPLE-BIFF	HTTP: Microsoft Office Excel MDXTUPLE Record Heap Buffer Overflow
LOW	P2P:MISC:MEDIASEEK-PL-CLIENT	P2P: MediaSeek-pl Client
LOW	SPYWARE:GM:ALBUMGALAXY	SPYWARE: Album Galaxy
MEDIUM	SPYWARE:TROJAN:SANDESA-ICQNOTIF	SPYWARE: Sandesa
LOW	SPYWARE:AD:PACIMEDIA	SPYWARE: Pacimedia
MEDIUM	APP:HPOV:CVE-2010-0447-RCE	APP: HP Performance Insight Helpmanager Servlet Remote Code Execution
CRITICAL	SPYWARE:KL:EYESPYPRO	SPYWARE: Eye Spy Pro
LOW	SPYWARE:DM:MYNAPSTER	SPYWARE: MyNapster
LOW	SPYWARE:BH:EXCITESEARCHBAR	SPYWARE: Excite Search Bar
HIGH	HTTP:STC:MOZILLA:XBL-TAG-RM	HTTP: Mozilla Firefox XBL Event Handler Tags Removal Memory Corruption
LOW	SPYWARE:AD:MEDIATICKETS	SPYWARE: Mediatickets
LOW	SPYWARE:BH:CWS-GONNASEARCH	SPYWARE: CoolWebSearch-GonnaSearch
HIGH	APP:HPOV:OPE-AGENT-CODA-BO	APP: HP Operations Agent Opcode coda.exe Buffer Overflow
LOW	SPYWARE:BH:THECOOLBAR	SPYWARE: TheCoolbar
CRITICAL	SMB:TRANSACTION-RESPONSE-OF	SMB: Microsoft Windows SMB Client Transaction Response Buffer Overflow
LOW	SPYWARE:AD:COMTRYMUSICDL	SPYWARE: ComTry Music Downloader
MEDIUM	HTTP:INFO-LEAK:IBM-FP-SERLET	HTTP: IBM Rational Focal Point Login And RequestAccessController Servlet Information Disclosure
HIGH	HTTP:CGI:NAGIOS-CORE-DOS	HTTP: Nagios core CGI Process_cgivars Off-By-One
HIGH	SPYWARE:KL:PROAGENT	SPYWARE: ProAgent
LOW	SPYWARE:AD:ZENOSEARCH	SPYWARE: ZenoSearch
LOW	SPYWARE:AD:SIMBAR	SPYWARE: Simbar
HIGH	HTTP:STC:JAVA:JNDI-BYPASS	HTTP: Oracle Java JNDI Sandbox Bypass
LOW	SPYWARE:AD:VIEWPOINTMEDIA	SPYWARE: Viewpoint Media Toolbar
HIGH	TROJAN:ITSOKNOPROBLEMBRO-CNC	TROJAN: itsoknoproblembro Command and Control
HIGH	HTTP:STC:STREAM:ASF-WMP	HTTP: Microsoft Windows Media Format ASF Parsing Code Execution
HIGH	HTTP:STC:DL:WORD-SPRM-MEM	HTTP: Microsoft Word Crafted Sprm Structure Stack Memory Corruption
LOW	SPYWARE:AD:GOLDENPALACECASINO	SPYWARE: Golden Palace Casino
MEDIUM	SPYWARE:KL:MASSCONNECT	SPYWARE: maSs coNNect
HIGH	HTTP:STC:DIRECTX-AVI-WAV-PARSE	HTTP: Microsoft DirectX WAV and AVI File Parsing Code Execution
MEDIUM	APP:CHKPOINT-FW-WEBUI-REDIRECT	APP: CheckPoint Firewall WebUI Arbitrary Site Redirect
LOW	SPYWARE:AD:BTGRAB	SPYWARE: BTGrab
LOW	SPYWARE:AD:DIVXPRO	SPYWARE: DivXPro
LOW	SPYWARE:AD:YELLOWBRIDGETOOLBAR	SPYWARE: YellowBridge Toolbar
HIGH	HTTP:STC:MS-FOREFRONT-RCE	HTTP: Microsoft Forefront Threat Management Gateway Client Remote Code Execution
LOW	SPYWARE:AD:HANSONELLISTOOLBAR	SPYWARE: Hanson Ellis Toolbar
MEDIUM	HTTP:STC:IMG:JPEG-SCRIPT	HTTP: Internet Explorer Cross Site Scripting Via JPEG
HIGH	HTTP:MISC:POSTER-SW-PUI-FILE-OF	HTTP: Poster Software PUBLISH-iT PUI File Processing Buffer Overflow
CRITICAL	SPYWARE:RAT:CIA1-22-HTTP	SPYWARE: CIA1-22 (HTTP)
CRITICAL	SPYWARE:RAT:CIA1-22-FTP	SPYWARE: CIA1-22 (FTP)
CRITICAL	SPYWARE:RAT:CIA1-22-ICQ	SPYWARE: CIA1-22 (ICQ Notification)
MEDIUM	APP:MISC:ARCSERVE-GETBACKUP	APP: Arcserve GetBackupPolicy Information Disclosure
CRITICAL	SPYWARE:RAT:MINICOMMAND203-ICQ	SPYWARE: Mini Command 2.0.3 (ICQ Notification)
HIGH	HTTP:STC:DL:APPLE-QT-OBJI	HTTP: Apple QuickTime Obji Atom Parsing Buffer Overflow
CRITICAL	SPYWARE:RAT:BEAST202-ICQ	SPYWARE: Beast2.02 (ICQ Notification)
CRITICAL	SPYWARE:RAT:ASSASSIN1-1-HTTP	SPYWARE: Assassin1-1 (HTTP)
HIGH	HTTP:STC:DL:VISIO-VSD-ICON	HTTP: Microsoft Office Visio VSD File Icon Bits Memory Corruption
CRITICAL	SPYWARE:RAT:EXCEPTION1-0-HTTP	SPYWARE: Exception1-0 (HTTP)
CRITICAL	SPYWARE:RAT:ERAZER-ICQ	SPYWARE: Erazer (ICQ Notification)
MEDIUM	HTTP:CGI:LISTSERV-BO	HTTP: ListServ Multiple Buffer Overflow
HIGH	HTTP:ORACLE:REPORTS-RCE	HTTP: Oracle Forms and Reports Remote Code Execution
HIGH	TROJAN:ROOTKIT-DL	TROJAN: Rootkit Downloader
HIGH	HTTP:STC:DL:PUB-TEXTBOX	HTTP: Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow
MEDIUM	HTTP:DOMINO:POST-DOS2	HTTP: Lotus Domino Post DoS (2)
HIGH	HTTP:PHP:OP5-MONITOR-CI	HTTP: OP5 Monitor Command_test.php Command Injection
HIGH	HTTP:STC:ADOBE:PS-CS4-MULTI-BO	HTTP: Adobe Photoshop CS4 Multipe File Parsing Buffer Overflow
HIGH	HTTP:STC:DL:XLS-HFPICT	HTTP: Microsoft Office Excel HFPicture Record Buffer Overflow
HIGH	HTTP:STC:DL:WORD-LINK-OBJ	HTTP: Microsoft Office Word HTML Linked Objects Memory Corruption
LOW	SPYWARE:BP:ETCETERASEARCH	SPYWARE: Etcetera Search
HIGH	HTTP:SQL:INJ:VIRT-MOB-INFRA-CE	HTTP: Trend Micro Virtual Mobile Infrastructure Command Injection
LOW	SPYWARE:AD:HSADVISORTOOLBAR	SPYWARE: HSAdvisor Toolbar
HIGH	HTTP:STC:ADOBE:CVE-2013-5332-CE	HTTP: Adobe Reader CVE-2013-5332 Remote Code Execution
MEDIUM	HTTP:PHP:TIKIWIKI-CMD-EXEC	HTTP: TikiWiki Upload PHP Command Execution
HIGH	HTTP:PHP:CACTI-RRD-FILE-INC	HTTP: Cacti RRD Remote File Inclusion
HIGH	TROJAN:EAGHOUSE	TROJAN: EagHouse
MEDIUM	HTTP:CGI:APM-ACC-BYPASS	HTTP: Cyclades AlterPath Manager Access Bypass
LOW	SPYWARE:GM:SEARCHBOSS	SPYWARE: SearchBoss Toolbar
MEDIUM	HTTP:PHP:WP-GRAND-FLASH-ALBUM	HTTP: Wordpress GRAND Flash Album Gallery Plugin Directory Disclosure
LOW	SPYWARE:BH:EXACTSEEK	SPYWARE: ExactSeek
HIGH	HTTP:STC:DL:PPT-UNK-ANI	HTTP: Microsoft Powerpoint Unknown Animation Node Remote Code Execution
MEDIUM	HTTP:PHP:BITRIX-SITE-MGR-CS	HTTP: Bitrix Site Manager Content Spoofing
LOW	SPYWARE:BH:ADTRAFFIC	SPYWARE: Adtraffic
MEDIUM	HTTP:SQL:INJ:AGENT-ADMIN	HTTP: Immobilier CGI SQL Injection
MEDIUM	HTTP:CYCLADES:CONSOLE-CON	HTTP: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection
MEDIUM	HTTP:CYCLADES:SAVEUSER-PRIV	HTTP: Cyclades AlterPath Manager saveUser.do Privilege Escalation
MEDIUM	HTTP:PHP:SITEMAN-USER	HTTP: Siteman User Database Privilege Escalation
MEDIUM	HTTP:PKG:WEBMIN-BRUTE	HTTP: Webmin Administrator Password Brute Force
HIGH	HTTP:PHP:PHORUM:REMOTE-EXEC	HTTP: Phorum Remote PHP File Inclusion
LOW	HTTP:PHP:PHORUM:RESPONSE-SPLIT	HTTP: Phorum HTTP Response Splitting
MEDIUM	HTTP:PHP:PHP-NEWS-FILE-INC	HTTP: PHP News File Inclusion
HIGH	HTTP:STC:DL:MS-DIRECTSHOW-RCE	HTTP: Microsoft Windows DirectShow JPEG Remote Code Execution
INFO	SSL:AUDIT:DHEEXP-512CPHR-LOGJAM	SSL: OpenSSL Logjam 512-Bit DHE_EXPORT Cipher Suite
LOW	SPYWARE:AD:GROOWESEARCHBAR	SPYWARE: Groowe Search Bar
LOW	SPYWARE:BP:MACHERSTOOLBAR	SPYWARE: Machers Toolbar
LOW	SPYWARE:BH:VIPNETLINK	SPYWARE: VIP NetLink
LOW	SPYWARE:BH:QMTOOLBAR	SPYWARE: QM Toolbar
HIGH	SPYWARE:TROJAN:DLOADERAGENT-TL	SPYWARE: Trojan-Downloader-Agent-TL
HIGH	HTTP:STC:DL:WORD-REC-LEN-OF	HTTP: Microsoft Word Record Parsing Length Field Overflow
LOW	SPYWARE:BH:ABCSEARCH	SPYWARE: abcSearch
LOW	SPYWARE:AD:ZTOOLBAR	SPYWARE: ZToolbar
LOW	SPYWARE:AD:HOTOFFERS	SPYWARE: HotOffers
HIGH	FTP:OVERFLOW:ASCII-WRITE	FTP: ProFTP ASCII Off By Two Overflow
CRITICAL	SMB:OF:RPC-PNP-OF	SMB: Microsoft Windows Plug and Play Registry Key Access Buffer Overflow
HIGH	HTTP:STC:DL:OFFICE-MAL-PUB	HTTP: Malformed Microsoft Office Publisher File
MEDIUM	SPYWARE:BH:CWSSTARTPAGE-2	SPYWARE: CoolWebSearch-StartPage (2)
HIGH	SPYWARE:TROJAN:ABWIZ-C	SPYWARE: Abwiz-C
MEDIUM	HTTP:DIR:BARRACUDA-DIRTRAV	HTTP: Barracuda Spam Firewall Directory Traversal
HIGH	HTTP:STC:IMG:OFFICE-MAL-TIF	HTTP: Microsoft Office Malicious TIF File (2)
HIGH	HTTP:STC:IMG:OFFICE-MAL-TIFF3	HTTP: Microsoft Office Malicious TIFF Image (3)
HIGH	TROJAN:HTTP-ZEROACCESS-BOTNET	Trojan: HTTP ZeroAccess BotNet P2P Activity
HIGH	HTTP:STC:IMG:OFFICE-FLASHPIX2	HTTP: Microsoft Office Malicious FlashPix Image (2)
HIGH	HTTP:CGI:PERL:WEBHINT-CMD-INJ	HTTP: WebHints Command Injection
HIGH	HTTP:CGI:INCLUDER-EXEC	HTTP: Includer.cgi Remote Command Execution
CRITICAL	MS-RPC:OF:SPOOLSS-1	MS-RPC: SPOOLSS Buffer Overflow (1)
MEDIUM	HTTP:PHP:PHPBB:SEARCH-DOS	HTTP: phpBB Search Flood DoS
MEDIUM	HTTP:PHP:PHPBB:PROFILE-ADD-DOS	HTTP: phpBB Profile Add DoS
MEDIUM	HTTP:INFO-LEAK:IIS-FILE-ACCESS	HTTP: Microsoft IIS Web server Unauthorized File Access
MEDIUM	SPYWARE:BP:NEWNET	SPYWARE: New Net
HIGH	SPYWARE:KL:LTTLOGGER	SPYWARE: Lttlogger
HIGH	HTTP:VEGADNS-AXFRGET-CMDI	HTTP: VegaDNS axfr_get.php Command Injection
HIGH	APP:SYMC:LIVE-UPDATE-SEC-BYPASS	APP: Symantec LiveUpdate Administrator Security Bypass
MEDIUM	WORM:COMMWARRIORB	WORM: Commwarrior.b!sis
LOW	SPYWARE:AD:SUPERFASTMP3SEARCH	SPYWARE: Super Fast MP3 Search
LOW	SPYWARE:BH:NEED2FIND	SPYWARE: Need2Find
HIGH	HTTP:CGI:RSA-AGENT-BOF	HTTP: RSA Agent Redirect Overflow
MEDIUM	SPYWARE:AD:BLUBSTER-2X	SPYWARE: Blubster 2.0 and 2.5
HIGH	HTTP:STC:DL:MAL-MIC-BICLRUSED	HTTP: Windows Graphics Rendering Engine MIC File Malformed biClrUsed Parameter
MEDIUM	SPYWARE:TROJAN:DOWNLOADER.AB	SPYWARE: Generic Downloader.ab
LOW	SPYWARE:TROJAN:SPAM-MAXY	SPYWARE: Spam-Maxy
MEDIUM	SPYWARE:BH:COOLSEARCH	SPYWARE: Coolsearch
HIGH	HTTP:STC:DL:OUTLOOK-CE	HTTP: Microsoft Outlook SMB ATTACH_BY_REFERENCE Code Execution
MEDIUM	HTTP:STC:DL:PPT-SCRIPT	HTTP: Powerpoint Containing Script Elements
HIGH	HTTP:DIR:CA-ERWIN-WEB-PORTAL	HTTP: CA ERwin Web Portal Directory Traversal
CRITICAL	HTTP:STC:DL:CGM-IMG-BOF	HTTP: Microsoft Office CGM Image Converter Buffer Overflow (1)
HIGH	MS-RPC:OF:SRV-SVC-1	MS-RPC: Microsoft Server Service Overflow (1)
HIGH	HTTP:HPE-INSECURE-DESERIAL	HTTP: HPE Operations Orchestration Insecure Deserialization
HIGH	MS-RPC:OF:LOC-SVC-1	MS-RPC: DCE-RPC Windows RPC Locator Service Overflow (1)
HIGH	POP3:APPLE-ICAL-PARAM-BO	POP3: Apple iCal Trigger and Count Parameters Integer Overflow
HIGH	HTTP:STC:OUTLOOK:WAB-BOF	HTTP: Outlook Express Address Book Overflow
HIGH	HTTP:STC:DL:WMP-DVR-MS	HTTP: Microsoft Windows Media Player DVR-MS File Remote Code Execution
HIGH	HTTP:SEARCHBLOX-AB	HTTP: SearchBlox CVE-2015-7919 Arbitrary File Overwrite
CRITICAL	HTTP:STC:CANVAS-BABYBOTTLE-GZIP	HTTP: Canvas Babybottle gzip
HIGH	HTTP:MISC:COGENT-SERVER-CMD-INJ	HTTP: Cogent DataHub Web Server GetPermissions.asp Command Injection
HIGH	HTTP:STC:DL:CVE-2015-2477-CE	HTTP: Microsoft Office Word CVE-2015-2477 Remote Code Execution
HIGH	MS-RPC:OF:RRAS	MS-RPC: RRAS Buffer Overflow
HIGH	HTTP:PHP:WORDPRESS-REST-PE	HTTP: WordPress REST API Posts Controller Privilege Escalation
MEDIUM	HTTP:STC:JAVA:NXT-UPDTE-RA	HTTP: Oracle Java SE OCSP nextUpdate Replay Attack
MEDIUM	HTTP:PHP:BACULA-WEB-REPORT	HTTP: Bacula Web report.php Multiple Vulnerabilities
LOW	SPYWARE:AD:NABAZATOOLBAR	SPYWARE: Nabaza ToolBar
MEDIUM	HTTP:PHP:WORDPRESS-MUL-FL-GAL	HTTP: Multiple WordPress 1 Flash Gallery Plugin Vulnerabilities
MEDIUM	HTTP:PHP:WORDPRESS-MUL-GND-ALBM	HTTP: Multiple WordPress GRAND Flash Album Gallery Plugin Vulnerabilities
HIGH	HTTP:NEUTRINO-FLASH	HTTP: Neutrino Flash Exploit
CRITICAL	MS-RPC:OF:SRV-SVC-2	MS-RPC: Microsoft Server Service Overflow (2)
MEDIUM	HTTP:PHP:CONSTRUCTR-CMS-MUL	HTTP: Constructr CMS Multiple Vulnerabilities
HIGH	HTTP:STC:CVE-2018-8628-RCE	HTTP: Microsoft Powerpoint CVE-2018-8628 Remote Code Execution
HIGH	HTTP:APACHE:STRUTS-OGNL-CMDEXEC	HTTP: Apache Struts OGNL Expression Parsing Arbitrary Command Execution
HIGH	HTTP:SQL:REQ-URI	HTTP: SQL Commands Detected In HTTP URIs
HIGH	TROJAN:BACKDOOR:CHINACHOPPERCNC	TROJAN: China Chopper Webshell Command and Control Traffic
HIGH	HTTP:STC:MOZILLA:MAL-SVG-INDEX	HTTP: Firefox Malformed SVG Index Parameter
HIGH	HTTP:DOS:MUL-PRODUCTS	HTTP: Multiple Denial Of Service Vulnerability (STC)
CRITICAL	HTTP:APACHE:NOSEJOB	HTTP: Apache-nosejob.c Attempt
HIGH	HTTP:CGI:SCRUTINIZER-CE	HTTP: Scrutinizer Hidden User Remote Code Execution
HIGH	APP:SAP:SYBASE-ESPPARSE-DOS	HTTP: SAP Sybase esp_parse Null Pointer Dereference
HIGH	HTTP:STC:DL:VLC-MEDIA-PLY-BO	HTTP: VideoLAN VLC Media Player File Buffer Overflow
HIGH	HTTP:DIR:ENDECA-ETLSERVER-DT	HTTP: Oracle Endeca Information Discovery Integrator ETL Server MoveFile Directory Traversal
MEDIUM	HTTP:NOVELL:GROUPWISE-CSS	HTTP: Novell GroupWise WebAccess Cross-Site Scripting
MEDIUM	HTTP:ORACLE:COPYFILE-DIR-TRAV	HTTP: Oracle Endeca CopyFile Directory Traversal
HIGH	HTTP:STC:DL:XLS-DATA-INIT	HTTP: Excel Data Initialization Vulnerability
CRITICAL	SMB:OF:NWCW-INV-CALL	SMB: Invalid Netware Workstation Service Call
HIGH	WORM:MINIFLAME-CNC	WORM: Miniflame Command and Conrol Communication
HIGH	HTTP:MISC:SUPERMICRO-LOGIN-BO	HTTP: SuperMicro IPMI login.cgi Buffer Overflow
HIGH	HTTP:STC:ADOBE:CVE-2014-0497-MC	HTTP: Adobe Flash CVE-2014-0497 Memory Corruption
HIGH	HTTP:STC:DL:XLS-XISPARENT	HTTP: Microsoft Office Excel Xisparent Object Memory Corruption
HIGH	HTTP:PHP:4IMAGES-RFI	HTTP: 4images Remote File Inclusion
MEDIUM	HTTP:SQL:INJ:WP-UNIVERSAL-POST	HTTP: WordPress Universal Post Manager Plugin SQL Injection
MEDIUM	HTTP:XSS:WP-UNIVERSAL-POST	HTTP: WordPress Universal Post Manager Plugin Cross Site Scripting
MEDIUM	HTTP:SQL:INJ:WP-AJAX-CATEGORY	HTTP: WordPress Ajax Category Dropdown Plugin SQL Injection
CRITICAL	HTTP:NOVELL:REPORTER-AGENT	HTTP: Novell File Reporter Agent XML Parsing Remote Code Execution
MEDIUM	HTTP:PHP:WP-XML-RPC-PINGBACK-RQ	HTTP: WordPress XML RPC Pingback Request
HIGH	TROJAN:BACKDOOR:GHOSTNET-CNC	TROJAN: Backdoor.GhostNet Command and Control Traffic
MEDIUM	HTTP:NOVELL:LIVETIME-ID	HTTP: Novell Service Desk Information Disclosure
HIGH	HTTP:PHP:WP-XMLRPC-BRUTE	HTTP: WordPress XMLRPC Brute Force Login Attempt
HIGH	HTTP:MAILCHIMP-PLUGIN-PHP-CE	HTTP: MailChimp Plugin for WordPress Remote PHP Code Execution
HIGH	HTTP:MISC:CVE-2015-5718-BO	HTTP: Websense Triton Content Manager Buffer Overflow
MEDIUM	HTTP:PHP:WP-SIMPLE-ADS-MGR-MUL	HTTP: WordPress Simple Ads Manager Plugin Multiple Security Vulnerabilities
HIGH	HTTP:STC:DL:QT-PANORAMA-ATOM	HTTP: Apple QuickTime Panorama Sample Atoms Movie File Handling Buffer Overflow
HIGH	HTTP:STC:DL:PPT-OFFICEART	HTTP: Microsoft Powerpoint OfficeArtClient Remote Code Execution
HIGH	HTTP:STC:HPJ-OPTIONS	HTTP: Microsoft Help Workshop HPJ OPTIONS Section Buffer Overflow
MEDIUM	HTTP:ORACLE:DEMANTRA-FILEACCESS	HTTP: Oracle Demantra Demand Management Unauthorized File Access
HIGH	HTTP:MISC:ALIEN-VAULT-OSSIM-CE	HTTP: AlienVault OSSIM av-centerd SOAP Requests Command Execution
HIGH	HTTP:STC:SBS-TRAIN	HTTP: Step-by-Step Interactive Training Buffer Overflow
HIGH	HTTP:STC:DL:APPLE-PICT	HTTP: Apple QuickDraw PICT Images ARGB Records Handling Memory Corruption
HIGH	HTTP:INFO-LEAK:HP-SITESCOPE	HTTP: HP SiteScope integrationViewer Default Credentials
HIGH	APP:MISC:F-SECURE-WEB-BO	APP: F-Secure Products Web Console Buffer Overflow
HIGH	HTTP:XSS:SYM-GATEWAY-PHP-PAGE	HTTP: Symantec Web Gateway Multiple PHP Pages Cross Site Scripting
HIGH	HTTP:STC:DL:OO-WORD-TABLE	HTTP: OpenOffice Word Document Table Parsing Integer Underflow
MEDIUM	HTTP:SQL:INJ:MYSCHOOL	HTTP: MySchool SQL Injection
MEDIUM	HTTP:XSS:ZEN-CART	HTTP: Zen Cart Cross Site Scripting
HIGH	HTTP:APACHE:HTTP-SERVER-MOD-DOS	HTTP: Apache HTTP Server mod_deflate and mod_proxy Denial of Service
HIGH	HTTP:PHP:EGROUPWARE-FI	HTTP: eGroupware File Inclusion
MEDIUM	APP:MISC:HP-SITESCOPE-SOAP	APP: HP SiteScope SOAP Call APIPreferenceImpl Multiple Security Bypass
MEDIUM	APP:MISC:HP-SITESCOPE-DIR-TRAV	APP: HP SiteScope Directory Traversal
HIGH	HTTP:TRENDMICRO-CTRLMGR-SQLINJ	HTTP: Trend Micro Control Manager ad hoc query Module SQL Injection
HIGH	APP:NOVELL:MSNGR-CREATESEARCH	APP: Novell GroupWise Messenger createsearch Memory Corruption
HIGH	HTTP:SQL:INJ:CA-EXPORTREPORT	HTTP: CA Total Defense Suite UNCWS exportReport SQL Injection
HIGH	SMB:SAMBA:NMBD-BO	SMB: Samba nmbd Buffer Overflow
HIGH	HTTP:MS-DOT-NET-HEAP-CORRUPT	HTTP: Microsoft .NET Framework Heap Corruption
HIGH	HTTP:INFO-LEAK:HP-APISITESCOPE	HTTP: HP SiteScope SOAP Call APISiteScopeImpl Information Disclosure
HIGH	APP:NOVELL:IMANAGER-TREE-NAME	APP: Novell iManager Tree Name Denial of Service
MEDIUM	HTTP:SQL:INJ:CA-TOTAL-DEFENSE	HTTP: CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injection
INFO	HTTP:STREAM:YOUTUBE-REQ	HTTP: YouTube Video Request
HIGH	HTTP:SQL:INJ:TIVOLI-USER-UPDATE	HTTP: IBM Tivoli Provisioning Manager Express User.updateUserValue SQL Injection
HIGH	APP:SYMC:MESSAGING-DIR-TRAV	APP: Symantec Messaging Gateway Directory Traversal
MEDIUM	HTTP:ROBOHELP-SQL-INJ1	HTTP: Adobe RoboHelp Server SQL Injection Vulnerability1
HIGH	HTTP:FOXIT-FF-URL-STG-BO	HTTP: Foxit Reader Plugin for Firefox URL String Stack Buffer Overflow
HIGH	APP:MCAFEE-FIREWALL-RCE	APP: McAfee Firewall Reporter isValidClient Remote Code Execution
HIGH	HTTP:CGI:AWSTATS	HTTP: AwStat: Malicious Activity
MEDIUM	HTTP:APACHE:RPC-RAVE-INFO-DISC	HTTP: Apache Rave User RPC API Information Disclosure
HIGH	HTTP:STC:DL:GSTREAMER-QT-OF	HTTP: GStreamer QuickTime File Parsing Buffer Overflow
CRITICAL	HTTP:JAVA-UA-EXE-DL	HTTP: Executable File Downloaded by Java User Agent
HIGH	SPYWARE:KL:STARLOGGER	SPYWARE: Starlogger
HIGH	SMTP:OUTLOOK:TZID-OF	SMTP: Outlook TZID Buffer Overflow
HIGH	HTTP:NNMRPTCONFIG-EXE-RCE	HTTP: HP OpenView Network Node Manager nnmRptConfig.exe schd_select1 Remote Code Execution
MEDIUM	HTTP:SQL:INJ:SYMANTEC-IM	HTTP: Symantec IM Manager LoggedInUsers.lgx Definition File SQL Injection
MEDIUM	HTTP:XSS:CPANEL-MODULES	HTTP: cPanel Multiple Module Cross-Site Scripting
HIGH	HTTP:MISC:JENKINS-CI-CSRF	HTTP: Jenkins CI Server Multiple Cross-Site Request Forgery
HIGH	HTTP:IIS:ASP-PAGE-BOF	HTTP: Microsoft IIS Server Crafted ASP Page Buffer Overflow
HIGH	APP:HPOV:NODE-MGR-NNMRPTCONFIG	APP: HP OpenView Network Node Manager nnmRptConfig.exe Template Format String Code Execution
HIGH	HTTP:CGI:IPFIRE-PROXY-RCE	HTTP: IPFire proxy.cgi Remote Code Execution
MEDIUM	HTTP:DIR:HP-LOADRUNNER-EMU	HTTP: HP LoadRunner Virtual User Generator EmulationAdmin Directory Traversal
HIGH	HTTP:ORACLE:OUTSIDE-IN-PRDOX-BO	HTTP: Oracle Outside In Paradox Database Handling Buffer Overflow
HIGH	APP:VMWARE-OVF-FMTSTR	APP: VMware OVF Tools Format String
LOW	HTTP:PHP:PMACHINE-PATH-DISC	HTTP: pMachine Path Disclosure
HIGH	HTTP:STC:DL:WORD-SMART-TAGS	HTTP: Microsoft Word Smart Tags Code Execution
CRITICAL	HTTP:IIS:CMS:MAL-CMS-REQ	HTTP: Malformed Content Management Server Request
HIGH	HTTP:LANDESK-REMOTE-FILE-INC	HTTP: LANDesk Management Suite Remote File Inclusion
HIGH	HTTP:STC:DL:MS-OFFICE-RCE	HTTP: Microsoft Office Publisher 2007 Pointer Dereference Code Execution
HIGH	IMAP:OVERFLOW:IBM-DOMINO-OF	IMAP: IBM Domino IMAP Mailbox Name Stack Buffer Overflow
CRITICAL	HTTP:CGI:BASH-INJECTION-URL	HTTP: Multiple Products Bash Code Injection In URL
HIGH	HTTP:STC:STREAM:QT-MOV-FILE-BOF	HTTP: Apple QuickTime Movie File Clipping Region Handling Heap Buffer Overflow
HIGH	HTTP:STC:DL:MS-PUBLISHER-RCE	HTTP: Microsoft Publisher 2007 Conversion Library Code Execution
HIGH	HTTP:NOVELL:EDIR-ACCEPT-LANG-OF	HTTP: Novell eDirectory Management Console Accept-Language Buffer Overflow
CRITICAL	SPYWARE:RAT:PRORAT1-9-ICQ	SPYWARE: ProRat1-9 (ICQ Notification)
HIGH	HTTP:TREND-IWSVA-CI	HTTP: Trend Micro IWSVA ManageSRouteSettings HttpServlet Command Injection
HIGH	HTTP:STC:DL:COOLPDF-READER-BO	HTTP: CoolPDF Reader Image Stream Processing Buffer Overflow
HIGH	HTTP:STC:DL:MS-PUB-MC	HTTP: Microsoft Publisher PUB File Processing Memory Corruption
HIGH	HTTP:STC:DL:MS-WORD-XST-BOF	HTTP: Microsoft Wordpad Word Converter XST Structure Buffer Overflow
HIGH	HTTP:PHP:EXIF-HEADER-INT-OF	HTTP: Exif Header Parsing Integer Overflow
HIGH	HTTP:IIS:SHAREPOINT-2010-XSS	HTTP: SharePoint Server 2010 Cross Site Scripting Vulnerability
MEDIUM	HTTP:CISCO:PRIME-INFRA-ID	HTTP: Cisco Prime Infrastructure and Evolved Programmable Network Manager Information Disclosure
HIGH	HTTP:STC:IE:XML-MEM-COR	HTTP: Microsoft XML Core Services Integer Truncation Memory Corruption
HIGH	HTTP:IIS:MS-RD-WEB-ACCESS-XSS	HTTP: Microsoft Remote Desktop Web Access Cross Site Scripting
CRITICAL	SPYWARE:RAT:DSKLITE1-0-ICQ	SPYWARE: DSK Lite 1.0 (ICQ Notification)
MEDIUM	HTTP:MISC:MONOWALL-CSRF	HTTP: Monowall Firewall/Router Cross Site Request Forgery
MEDIUM	HTTP:XSS:SHAREPOINT-EDITFORM	HTTP: Microsoft SharePoint Server Editform Cross Site Scripting
HIGH	HTTP:ORACLE:COREL-DRAW-BO	HTTP: Oracle Outside In CorelDRAW File Parser Buffer Overflow
HIGH	HTTP:STC:ADVANTECH-WEBACCESS	HTTP: Advantech WebAccess Dashboard uploadFile Arbitrary File Upload
MEDIUM	HTTP:SQL:INJ:WP-MULTIPLE	HTTP: WordPress Multiple SQL Injection Vulnerabilities
HIGH	HTTP:CGI:TWIKI-SEARCH-CMD-EXEC	HTTP: TWiki Search Module Remote Command Execution
HIGH	HTTP:STC:DL:QT-PDAT	HTTP: Apple QuickTime PDAT Atom Parsing Buffer Overflow
CRITICAL	HTTP:MISC:TRENDMICRO-CMD-INJ	HTTP: Trend Micro Command Injection In HTTP Variables
HIGH	HTTP:TRENDMICRO-SAFESYNC-ENT-CI	HTTP: Trend Micro SafeSync for Enterprise replace_local_disk Command Injection
MEDIUM	HTTP:MISC:NG-ARB-FLUPLOAD	HTTP: Netgear ProSAFE NMS300 fileUpload.do Arbitrary File Upload
HIGH	POP3:SUSPICIOUS-HEADER	POP3: Suspicious Mail Sender with Randomized Header
HIGH	HTTP:STC:DL:WEBEX-ATAS	HTTP: Cisco WebEx Recording Format Player atas32.dll 0xBB Subrecords Integer Overflow
MEDIUM	HTTP:XSS:ORACLE-GLASSFISH	HTTP: Oracle GlassFish Enterprise Server Cross Site Scripting
MEDIUM	HTTP:XSS:MS-MULT-APPLICATION	HTTP: Microsoft Multiple Application Cross Site Scripting
MEDIUM	HTTP:XSS:WP-STATS-DASHBOARD	HTTP: WordPress WP-Stats-Dashboard Plugin Multiple Cross Site Scripting
HIGH	HTTP:STC:ADOBE:FLASH-MP4LOAD-BO	HTTP: Adobe Flash Player MP4 Loading Buffer Overflow
MEDIUM	HTTP:XSS:SYMANTEC-EP-PARAM-XSS	HTTP: Symantec Endpoint Protection URI Parameter Reflected Cross-Site Scripting
CRITICAL	HTTP:APACHE:SCALP	HTTP: Apache-scalp.c Attempt
LOW	HTTP:PHP:PHPNUKE:PRIV-ESC	HTTP: PHP-Nuke Remote Priviledge Escalation
MEDIUM	APP:MISC:ZIMBRA-COLLAB-INFODISC	APP: Zimbra Collaboration Server Local File Inclusion Information Disclosure
MEDIUM	HTTP:STC:MOZILLA:XUL-NULL-MENU	HTTP: Mozilla Firefox XUL NULL Menu Denial of Service
HIGH	HTTP:STC:DL:MS-XL-ROW-REC-BO	HTTP: Microsoft Office Excel Row Record Heap Buffer Overflow
HIGH	APP:TMIC:OFFICESCAN-PW-OF	APP: Trend Micro OfficeScan Password Data Buffer Overflow
HIGH	HTTP:MISC:NAGIOS-NWTOOL-CSRF	HTTP: Nagios Network Analyzer create Cross-Site Request Forgery
HIGH	HTTP:HPEV-RCI	HTTP: Hewlett Packard Enterprise Vertica validateAdminConfig Remote Command Injection
CRITICAL	HTTP:APACHE:STRUTS2DMI-RCE	HTTP: Apache Struts2 Dymanic Method Invocation Remote Code Execution
HIGH	HTTP:CISCO:LINKSYS-APPLY-RCE	HTTP: Linksys E1500/E2500 apply.cgi Remote Command Injection
MEDIUM	HTTP:VLCFS1	HTTP: VLC HTTPD Connection Header Format String1
MEDIUM	HTTP:SQL:INJ:WP-PHOTORACER	HTTP: Photoracer WordPress Plugin SQL Injection
MEDIUM	HTTP:COLDFUSION:CFIDE-AUTHBYPAS	HTTP: Adobe ColdFusion CFIDE Authentication Bypass
MEDIUM	HTTP:SONICWALL-GMS-RCE1	HTTP: SonicWALL GMS skipSessionCheck Remote Code Execution1
HIGH	SMB:MICROSOFT-WS-TYPECONFUSION	SMB: Microsoft Windows Search Type Confusion
MEDIUM	HTTP:SYSAX-SERVER-BOF1	HTTP: Sysax Multi Server Function Buffer Overflow1
MEDIUM	HTTP:RUBY-GEM-SEMICOLON1	HTTP: Ruby Gem Multiple Wrappers Command Injection1
HIGH	HTTP:PHP:TINYWEBGALLERY-LFI	HTTP: TinyWebGallery Local File Inclusion
MEDIUM	HTTP:EXPLOIT:SYM-FILEUPLOAD	HTTP: Symantec Backup FileUpload
HIGH	HTTP:PHP:HPE-HPEINC-RFI	HTTP: Headline Portal Engine HPEInc Parameter Multiple Remote File Inclusion
MEDIUM	HTTP:EASYLAN-REG-BOF1	HTTP: Easy LAN Folder Share .reg FIle Parsing Buffer Overflow1
HIGH	SMB:INTERNET-PRINT-SVC-INT-OF	SMB: Microsoft Windows Internet Printing Service Integer Overflow
MEDIUM	HTTP:WP-FGALLERY-MAL-FILE-HOST1	HTTP: Wordpress FGallery Plugin Malicious File Hosting1
HIGH	HTTP:STC:ACTIVEX:XML-CORE-3-0	HTTP: Microsoft XML Core Services 3.0 ActiveX Control
MEDIUM	HTTP:PHP:COOLFORUM-INJ	HTTP: CoolForum Script Injection
HIGH	HTTP:STC:HPE-LANG-INJ	HTTP: HPE Intelligent Management Center saveSelectedDevices Expression Language Injection
HIGH	HTTP:PHP:CMD-INJ	HTTP: PHP Command Injection
HIGH	HTTP:HPE-OO-DESERIALIZATION	HTTP: HPE Operations Orchestration central-remoting Insecure Deserialization
HIGH	MS-RPC:LAN-WORM-SPREAD	MS-RPC: LAN Worm Spread Attempt
HIGH	HTTP:MISC:GE-MDS-PULSENET	HTTP: General Electric MDS PulseNET Hidden Support Account Remote Code Execution
INFO	HTTP:YAHOO:ATTACHMENT-DOWNLOAD	HTTP: Yahoo Mail File Attachment Download
INFO	WORM:CONFICKER:C-ACTIVITY	WORM: Conficker.C Activity
HIGH	HTTP:PHP:OPEN-EDUCATION-SYS-RFI	HTTP: Open Educational System Remote File Inclusion
HIGH	APP:SYMC:IM-MGR-INJ	APP: Symantec IM Manager Administrator Console Code Injection
MEDIUM	SMTP:SQWEBMAIL-EMAIL-HEADER-INJ	SMTP: SqWebMail Email Header HTML Injection
HIGH	HTTP:STC:DL:DS-ATOM-TABLE	HTTP: Microsoft DirectShow Remote Code Execution
HIGH	HTTP:STC:ADOBE:PDF-FONT	HTTP: Adobe Acrobat PDF Font Overflow
HIGH	SPYWARE:LIGATS	SPYWARE: Ligats
HIGH	APP:INTERSYSTEMS-CACHE-OF	APP: InterSystems Cache 'UtilConfigHome.csp' Remote Stack Buffer Overflow
HIGH	HTTP:NOVELL:EDIR-DHOST	HTTP: Novell eDirectory dhost HTTPSTK Buffer Overflow
HIGH	SMB:SMB20-NEG-DOS	SMB: SMB 2.0 Negotiate Denial Of Service
HIGH	HTTP:CGI:MAGENTO-API-RCE	HTTP: Magento API unserialize Remote Code Execution
HIGH	HTTP:STC:DL:VISIWAVE-SITE-BOF	HTTP: VisiWave Site Survey vwr File Processing Buffer Overflow
HIGH	HTTP:PHP:TIKIWIKI-JHOT	HTTP: TikiWiki Jhot Remote Command Execution
HIGH	HTTP:STC:IE-STREAM-HDR	HTTP: Internet Explorer Stream Header
HIGH	HTTP:STC:IE:CLIP-MEM	HTTP: Microsoft Internet Explorer Clip Memory Corruption Remote Code Execution
HIGH	HTTP:STC:ADOBE:PS-TIFF-BOF	HTTP: Adobe Photoshop TIFF Parsing Heap Buffer Overflow
CRITICAL	APP:HPOV:UNAUTH-FILE-UPLOAD	APP: Hewlett-Packard Operations Manager Server Unauthorized File Upload
HIGH	HTTP:STC:DL:PUB-INDEXLIMITS	HTTP: Microsoft Publisher Invalid Index Limits Remote Code Execution
HIGH	APP:CA:ARCSRV:D2D-AXIS2-RCE	APP: CA ARCserve D2D Axis2 Default Credentials Remote Code Execution
HIGH	HTTP:STC:ADOBE:READER-U3D	HTTP: Adobe Reader U3D ShadingModifierBlock Remote Code Execution
HIGH	HTTP:ZENOSS-VER-CHECK-RCE	HTTP: Zenoss Core Version Check Remote Code Execution
MEDIUM	DB:MYSQL:FS-REQUEST	SQL: Format String In Request
LOW	SPYWARE:AD:FREESCRATCHANDWIN	SPYWARE: FreeScratchAndWin
MEDIUM	DOS:NETDEV:D-LINK-DNS-320	DOS: D-Link DNS-320 ShareCenter Denial of Service
HIGH	HTTP:OVERFLOW:EFS-FILE-SERVE-BO	HTTP: EFS Software Easy File Sharing Web Server sendemail.ghp Stack Buffer Overflow
HIGH	HTTP:EK-ANGLER-OUTBOUND-COMM	HTTP: Angler Exploit Kit Outbound Communication Attempt
HIGH	HTTP:OVERFLOW:OVWEBHELP-BO	HTTP: HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow
CRITICAL	HTTP:OVERFLOW:OPENVIEW-NNM-BO	HTTP: HP OpenView Network Node Manager Buffer Overflow
CRITICAL	APP:HPOV:OID-OF	APP: HP OpenView NNM snmp.exe Long OID Parameter
HIGH	HTTP:STC:DL:VBA-MEM-CORRUPT	HTTP: Microsoft Visual Basic for Applications Stack Memory Corruption
HIGH	HTTP:OVERFLOW:HP-POWERMAN-OF	HTTP: HP Power Manager Login Buffer Overflow
HIGH	HTTP:STC:DL:PPT-PP7-MC	HTTP: Microsoft Office PowerPoint PP7 File Handling Memory Corruption
HIGH	HTTP:STC:IE:LOCATION-X-DOMAIN	HTTP: Microsoft Internet Explorer Location Property Cross Domain Scripting
MEDIUM	HTTP:TOMCAT:URL-ENC-DIRTRAV	HTTP: Apache Tomcat allowLinking URIencoding Directory Traversal Vulnerability
HIGH	HTTP:XSS:WP-FANCYBOX-PLUGIN	HTTP: WordPress Fancybox Plugin Cross Site Scripting
MEDIUM	HTTP:IIS:ASP-FORMS-DISCLOSURE	HTTP: ASP.NET Forms Authentication Information Disclosure
HIGH	HTTP:STC:DL:MS-OBJ-PACKAGER-RCE	HTTP: Microsoft Windows Object Packager ClickOnce Object Handling Code Execution
HIGH	HTTP:MISC:HPE-FLEXFILEUPLOAD	HTTP: HPE Intelligent Management Center PLAT flexFileUpload Arbitrary File Upload
MEDIUM	HTTP:XSS:SHAREPOINT-INPLVIEW	HTTP: Microsoft SharePoint Server inplview.aspx Cross Site Scripting
HIGH	HTTP:XSS:SHAREPOINT-THEMEWEB	HTTP: Microsoft SharePoint Server themeweb.aspx Cross Site Scripting
MEDIUM	HTTP:APACHE:STRUTS2-OGNL-INJ	HTTP: Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection
MEDIUM	HTTP:ORACLE:OIM-DFAULT-CRED-ID	HTTP: Oracle Identity Manager CVE-2017-10151 Default Credentials
HIGH	HTTP:STC:DL:PPT-TEXTBYTESATM-BO	HTTP: Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow
MEDIUM	HTTP:MISC:MUL-VENDORS-CSRF	HTTP: Multiple Vendors Cross Site Request Forgery
HIGH	HTTP:STC:IE:OBJ-DEL-UAF	HTTP: Microsoft Internet Explorer Unsafe Object Deletion Use-after-Free
MEDIUM	HTTP:MISC:MULTIPLE-PRDCT-CSRF	HTTP: MULTIPLE PRODUCTS CSRF
MEDIUM	HTTP:MISC:MULTI-PRDCTS-CSRF-1	HTTP: Multiple Products Cross-Site Request Forgery 1
HIGH	HTTP:STC:DL:PPT-FF-BOF	HTTP: PowerPoint File Multiples Buffer Overflow
HIGH	HTTP:XSS:OPENFIRE-USER-CREATE	HTTP: Ignite Realtime Openfire user-create.jsp Cross-Site Request Forgery
HIGH	APP:HPOV:NNM-GETNNMDATA-OF	APP: HP OpenView Network Node Manager getnnmdata.exe Parameter Overflow
MEDIUM	HTTP:COLDFUSION:CVE-2013-3336	HTTP: Adobe ColdFusion CVE-2013-3336 Information Disclosure
HIGH	HTTP:MISC:HPE-OO-RCE	HTTP: HPE Operations Orchestration Remote Code Execution
HIGH	HTTP:EK-MULTIPLE-FLASH	HTTP: Multiple Exploit Kit Flash File Download
HIGH	APP:MISC:SAP-NETWEAVER-SOAP-RCE	APP: SAP NetWeaver Unsafe SOAP Requests
MEDIUM	HTTP:MISC:MULTIPLE-VENDORS-CSRF	HTTP: Multiple Products Cross Site Request Forgery
HIGH	HTTP:MANAGENGINE-INF-DISC	HTTP: ManageEngine Multiple Products FailOverHelperServlet copyfile Information Disclosure
HIGH	HTTP:STC:DL:MAL-MOVIEMAKER	HTTP: Download of Malicious MovieMaker File
HIGH	SMTP:MICROSOFT-GDI-TIFF-RCE	SMTP: Multiple Microsoft Products TIFF Image Parsing Remote Code Execution
MEDIUM	HTTP:MISC:MUTI-PROD-COMND-EXEC	HTTP: Multiple Products Command Execution
HIGH	HTTP:STC:DL:XLS-NULL-PTR	HTTP: Microsoft Excel Null Pointer Exploit
MEDIUM	HTTP:APACHE:STRUTS-URIREDIRECT	HTTP: Apache Struts 2 Multiple URI Parameters Arbitrary Redirection
HIGH	HTTP:APACHE:STRUTS-URI-CMDEXEC	HTTP: Apache Struts 2 Multiple URI Parameters Remote Command Execution
HIGH	HTTP:STC:DL:RTF-MISMATCH	HTTP: Microsoft Word RTF Mismatch Remote Code Execution
HIGH	HTTP:STC:DL:REAL-SWF-BOF	HTTP: RealPlayer SWF Flash File Buffer Overflow
HIGH	HTTP:STC:DL:MAL-HLP-CHM	HTTP: Malformed Microsoft HLP/CHM File
HIGH	HTTP:CGI:WEB-SERVER-CGI-RCE	HTTP: EmbedThis GoAhead Web Server Remote Code Execution
HIGH	HTTP:COLDFUSION:XML-CMD-INJ	HTTP: Adobe ColdFusion/BlazeDS/LiveCycle XML Command Injection
MEDIUM	HTTP:MISC:MULTIPLE-PRODCT-CSRF	HTTP: Multiple Products Cross-Site Request Forgery 2
MEDIUM	HTTP:XSS:OUTLOOK-WEB	HTTP: Microsoft Exchange OWA XSS and Spoofing
CRITICAL	SMB:EXPLOIT:PRINT-SPOOL-BYPASS	SMB: Windows Print Spooler Authentication Bypass
HIGH	HTTP:PHP:PHP-QUOT-PRINT-ENCODE	HTTP: PHP php_quot_print_encode Heap Buffer Overflow
MEDIUM	HTTP:STC:CVE-2018-6794	HTTP: Suricata TCP Handshake Content Detection Bypass
HIGH	HTTP:MISC:NGINX-CHUNK-TRANS-DOS	HTTP: Nginx Chunked Transfer Parsing Denial of Service
HIGH	HTTP:PHP:XML-HEAP-MEM-CORR	HTTP: PHP xml_parse_into_struct Heap Memory Corruption
HIGH	HTTP:STC:DL:VISIO-VSD-MEM	HTTP: Microsoft Visio VSD File Format Memory Corruption Remote Code Execution

Details of the signatures included within this bulletin:

HTTP:STC:DL:XLS-MERGECELLS-OF - HTTP: Microsoft Excel MergeCells Record Heap Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Excel. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, j-series-9.5, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2012-0185
bugtraq: 53376

Affected Products:

Microsoft office_2007 SP3
Microsoft excel_2007 SP3
Microsoft excel_2010
Microsoft office_2010_(32-bit_edition)
Microsoft office_2010_(64-bit_edition) SP1
Microsoft excel_2007 SP2
Microsoft office_2010_(64-bit_edition)
Microsoft office_2010 (32-bit edition) SP1
Microsoft excel_2010 SP1

HTTP:IIS:NSIISLOG-CHUNKED-POST - HTTP: Chunked POST Request to nsiislog.dll

Severity: HIGH

Description:

This signature detects chunked POST requests to NSIISLOG.DLL. Attackers can exploit Windows Media Services that have logging enabled by sending a specially crafted network request, which can result in a denial of service or the execution of arbitrary code.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 7727
url: http://www.securityfocus.com/archive/1/323415
cve: CVE-2003-0227
bugtraq: 8035
cve: CVE-2003-0349

Affected Products:

Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_2000_terminal_services SP3
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_nt_server 4.0
Microsoft windows_nt_enterprise_server 4.0
Microsoft windows_2000_professional
Microsoft windows_2000_terminal_services
Microsoft windows_2000_server SP1
Microsoft windows_2000_professional SP1
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_server SP2
Microsoft windows_2000_server
Microsoft windows_2000_advanced_server
Microsoft windows_nt_enterprise_server 4.0 SP1
Microsoft windows_2000_terminal_services SP1
Microsoft windows_2000_terminal_services SP2
Microsoft windows_nt_enterprise_server 4.0 SP2
Microsoft windows_nt_terminal_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP4
Microsoft windows_nt_enterprise_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP5
Microsoft windows_nt_enterprise_server 4.0 SP6
Microsoft windows_nt_enterprise_server 4.0 SP6a
Microsoft windows_nt_server 4.0 SP1
Microsoft windows_nt_server 4.0 SP2
Microsoft windows_nt_server 4.0 SP3
Microsoft windows_nt_server 4.0 SP4
Microsoft windows_nt_server 4.0 SP5
Microsoft windows_nt_server 4.0 SP6
Microsoft windows_nt_server 4.0 SP6a
Microsoft windows_nt_terminal_server 4.0 SP1
Microsoft windows_nt_terminal_server 4.0 SP2
Microsoft windows_nt_terminal_server 4.0 SP4
Microsoft windows_2000_professional SP2
Microsoft windows_nt_terminal_server 4.0 SP6
Microsoft windows_nt_terminal_server 4.0 SP6a
Microsoft windows_nt_workstation 4.0 SP1
Microsoft windows_nt_workstation 4.0 SP2
Microsoft windows_nt_workstation 4.0 SP3
Microsoft windows_nt_workstation 4.0 SP4
Microsoft windows_nt_workstation 4.0 SP5
Microsoft windows_nt_workstation 4.0 SP6
Microsoft windows_nt_workstation 4.0 SP6a
Microsoft windows_nt_workstation 4.0
Microsoft windows_nt_terminal_server 4.0
Microsoft windows_nt_terminal_server 4.0 SP5

HTTP:NOVELL:LIVETIME-ID - HTTP: Novell Service Desk Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit multiple integer overflow vulnerabilities in the Novell Service Desk. A successful attack can lead to information disclosure.

Supported On:

References:

cve: CVE-2016-1594

Affected Products:

Novell service_desk 7.1

HTTP:PHP:PHP-CGI-CMD-LINE-RCE - HTTP: PHP 'php-cgi' Command Line Attribute Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in the PHP Common Gateway Interface (PHP-CGI). A successful attack could result in arbitrary code execution with the permissions of the web server process. This issue is currently being actively exploited in the wild by malicious users. Patches are available.

Supported On:

DI-Base, DI-Server, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 53388
url: http://www.kb.cert.org/vuls/id/520827
url: http://www.php.net/archive/2012.php#id2012-05-08-1
url: http://www.php.net/archive/2012.php#id2012-05-03-1
cve: CVE-2012-1823
cve: CVE-2012-2311
url: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
url: http://kb.parallels.com/en/116241

Affected Products:

Avaya aura_communication_manager_utility_services 6.2
Ubuntu ubuntu_linux 11.04 amd64
Ubuntu ubuntu_linux 11.04 ARM
Ubuntu ubuntu_linux 11.04 i386
Ubuntu ubuntu_linux 11.04 powerpc
Php php 5.3.12
Php php 5.4.2
Red_hat enterprise_linux_desktop_optional 6
Red_hat enterprise_linux_hpc_node 6
Red_hat enterprise_linux_hpc_node_optional 6
Red_hat enterprise_linux_server 6
Red_hat enterprise_linux_server_optional 6
Php php 5.3.1
Red_hat enterprise_linux_workstation_optional 6
Avaya voice_portal 5.1.2
Avaya aura_communication_manager_utility_services 6.0
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Ubuntu ubuntu_linux 8.04 LTS Lpia
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Ubuntu ubuntu_linux 8.04 LTS Sparc
Avaya aura_communication_manager 6.0
Suse suse_linux_enterprise_sdk 10 SP4
Suse suse_linux_enterprise_server 10 SP4
Ubuntu ubuntu_linux 10.04 Sparc
Hp hp-ux B.11.31
Avaya ip_office_application_server 6.1
Oracle enterprise_linux 6
Avaya ip_office_application_server 6.0
Avaya ip_office_application_server 8.1
Php php 5.3.7
Red_hat fedora 16
Php php 5.3.2
Oracle enterprise_linux 5
Avaya aura_application_enablement_services 5.2.3
Suse suse_linux_enterprise_sdk 11 SP2
Suse suse_linux_enterprise_server 11 SP2
Avaya voice_portal 5.1
Avaya voice_portal 5.0
Mandriva enterprise_server 5 X86 64
Php php 5.3.6
Red_hat enterprise_linux_workstation 6
Hp system_management_homepage 7.0
Turbolinux appliance_server 3.0
Turbolinux appliance_server 3.0 X64
Ubuntu ubuntu_linux 10.04 Amd64
Red_hat fedora 17
Red_hat enterprise_linux_long_life 5.3 Server
Php php 5.3.10
Hp hp-ux B.11.23
Hp system_management_homepage 6.0
Suse suse_linux_enterprise_server 11 SP1
Avaya voice_portal 5.0 SP1
Suse suse_linux_enterprise_sdk 11 SP1
Avaya aura_application_enablement_services 5.2
Avaya aura_session_manager 5.2 SP1
Avaya aura_session_manager 5.2 SP2
Avaya voice_portal 5.1
Avaya voice_portal 5.0 SP2
Ubuntu ubuntu_linux 10.04 ARM
Suse opensuse 11.4
Php php 5.3.5
Red_hat enterprise_linux_eus 5.6.z server
Mandriva enterprise_server 5
Red_hat enterprise_linux_server_eus 6.1.z
Avaya aura_application_enablement_services 6.1.1
Avaya voice_portal 5.1.1
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Debian linux 6.0 ia-32
Debian linux 6.0 amd64
Debian linux 6.0 arm
Debian linux 6.0 powerpc
Debian linux 6.0 sparc
Debian linux 6.0 ia-64
Debian linux 6.0 mips
Avaya aura_application_enablement_services 5.2.1
Debian linux 6.0 s/390
Hp system_management_homepage 6.2
Red_hat enterprise_linux_server_eus 6.0
Php php 5.3.4
Avaya aura_messaging 6.0
Avaya aura_messaging 6.0.1
Php php 5.3.3
Red_hat enterprise_linux_server_optional_eus 6.1
Red_hat enterprise_linux_server_optional_eus 6.0
Hp system_management_homepage 7.1
Turbolinux client 2008
Hp system_management_homepage 6.1
Php php 5.3.8
Avaya aura_session_manager 5.2
Ubuntu ubuntu_linux 11.10 amd64
Ubuntu ubuntu_linux 11.10 i386
Avaya aura_communication_manager 6.0.1
Ubuntu ubuntu_linux 10.04 I386
Ubuntu ubuntu_linux 10.04 Powerpc
Turbolinux 11_server x64
Turbolinux 11_server
Avaya ip_office_application_server 8.0
Hp system_management_homepage 6.3
Ubuntu ubuntu_linux 12.04 LTS amd64
Ubuntu ubuntu_linux 12.04 LTS i386
Suse opensuse 12.1
Php php 5.4.0
Php php 5.4.1
Mandriva linux_mandrake 2010.1 X86 64
Mandriva linux_mandrake 2010.1
Suse suse_linux_enterprise_server_for_vmware 11 SP2
Mandriva linux_mandrake 2011
Mandriva linux_mandrake 2011 x86_64
Oracle enterprise_linux 6.2
Avaya ip_office_application_server 7.0
Suse suse_linux_enterprise_server_for_vmware 11 SP1
Red_hat fedora 15
Avaya aura_application_enablement_services 6.1
Avaya aura_communication_manager_utility_services 6.1
Avaya voice_portal 5.1 SP1
Avaya aura_application_enablement_services 5.2.2
Php php 5.3.9
Avaya aura_messaging 6.1

APP:CLAMAV-UPX-OF-HTTP - APP: ClamAV UPX File Handling Buffer Overflow (HTTP)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in ClamAV. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 14866
cve: CVE-2005-2920

Affected Products:

Clam_anti-virus clamav 0.70.0
Clam_anti-virus clamav 0.80.0 Rc1
Clam_anti-virus clamav 0.80.0 Rc2
Clam_anti-virus clamav 0.68.0 -1
Clam_anti-virus clamav 0.80.0 Rc4
Clam_anti-virus clamav 0.60.0
Clam_anti-virus clamav 0.54.0
Clam_anti-virus clamav 0.53.0
Clam_anti-virus clamav 0.67.0
Clam_anti-virus clamav 0.51.0
Trustix secure_linux 2.2.0
Clam_anti-virus clamav 0.80.0 Rc3
Trustix secure_linux 3.0.0
Clam_anti-virus clamav 0.80.0
Clam_anti-virus clamav 0.86.0
Clam_anti-virus clamav 0.81.0
Clam_anti-virus clamav 0.84.0
Clam_anti-virus clamav 0.85.1
Clam_anti-virus clamav 0.85.0
Clam_anti-virus clamav 0.84.0 Rc2
Clam_anti-virus clamav 0.84.0 Rc1
Clam_anti-virus clamav 0.83.0
Clam_anti-virus clamav 0.82.0
Clam_anti-virus clamav 0.52.0
Conectiva linux 10.0.0
Clam_anti-virus clamav 0.86.2
Clam_anti-virus clamav 0.65.0
Clam_anti-virus clamav 0.68.0
Clam_anti-virus clamav 0.86.0 .1
Clam_anti-virus clamav 0.75.1

HTTP:STC:DL:XBM-BO - HTTP: Firefox XBM Image Processing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the FireFox XBM Image Processor. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the application's process user.

Supported On:

References:

bugtraq: 14916
cve: CVE-2005-2701

Affected Products:

Red_hat linux 7.3.0 I686
Mozilla browser 1.7.8
Slackware linux 10.2.0
Mozilla firefox 1.0.3
Mozilla browser 1.7.7
Suse linux_personal 9.0.0 X86 64
Mozilla firefox 1.0.2
Red_hat fedora Core1
Mozilla browser 1.7.0 Rc2
Mozilla browser 1.7.0 Rc1
Mozilla browser 1.7.0 Beta
Mozilla browser 1.7.0 Alpha
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Red_hat fedora Core2
Suse suse_linux_enterprise_server 8
Suse linux_personal 9.3.0 X86 64
Mandriva linux_mandrake 10.2.0
Suse linux_enterprise_server_for_s/390 9.0.0
Slackware linux 10.1.0
Ubuntu ubuntu_linux 5.0.0 4 I386
Turbolinux turbolinux 10 F...
Ubuntu ubuntu_linux 5.0.0 4 Amd64
Red_hat fedora Core3
Suse linux_personal 9.1.0
Red_hat linux 7.3.0
Red_hat linux 7.3.0 I386
Red_hat linux 9.0.0 I386
Mandriva linux_mandrake 10.2.0 X86 64
Turbolinux multimedia
Turbolinux personal
Mozilla firefox 1.0.6
Mozilla firefox 1.0.0
Mozilla browser 1.7.3
Mandriva linux_mandrake 2006.0.0
Mandriva linux_mandrake 2006.0.0 X86 64
Debian linux 3.1.0 Amd64
Turbolinux turbolinux_desktop 10.0.0
Debian linux 3.1.0 Alpha
Debian linux 3.1.0 Arm
Debian linux 3.1.0 Hppa
Ubuntu ubuntu_linux 4.1.0 Ia64
Ubuntu ubuntu_linux 4.1.0 Ia32
Ubuntu ubuntu_linux 4.1.0 Ppc
Debian linux 3.1.0 Mips
Debian linux 3.1.0 Mipsel
Debian linux 3.1.0 Ppc
Debian linux 3.1.0 S/390
Debian linux 3.1.0 Sparc
Mozilla browser 1.7.11
Mozilla firefox 1.0.1
Netscape browser 8.0.3 .3
Red_hat fedora Core4
Mozilla browser 1.7.6
Debian linux 3.1.0
Suse linux_professional 9.0.0
Suse linux_professional 9.1.0
Suse linux_professional 9.2.0
Suse linux_professional 9.3.0
Suse linux_professional 9.3.0 X86 64
Suse linux_professional 9.2.0 X86 64
Suse linux_professional 9.1.0 X86 64
Suse linux_professional 9.0.0 X86 64
Debian linux 3.1.0 Ia-32
Mandriva corporate_server 3.0.0
Debian linux 3.1.0 Ia-64
Debian linux 3.1.0 M68k
Slackware linux -Current
Suse novell_linux_desktop 9.0.0
Mozilla browser 1.7.2
Mozilla browser 1.7.0
Gentoo linux
Ubuntu ubuntu_linux 5.0.0 4 Powerpc
Sgi propack 3.0.0 SP6
Mozilla browser 1.7.1
Slackware linux 10.0.0
Turbolinux turbolinux_server 10.0.0
Turbolinux home
Suse linux_personal 9.3.0
Suse suse_linux_enterprise_server 9
Mozilla browser 1.7.9
Mozilla firefox 1.0.5
Mozilla browser 1.7.4
Mozilla browser 1.7.5
Suse linux_personal 9.0.0
Mandriva corporate_server 3.0.0 X86 64
Suse linux_personal 9.2.0 X86 64
Suse linux_personal 9.1.0 X86 64
Mandriva linux_mandrake 10.1.0
Mandriva linux_mandrake 10.1.0 X86 64
Conectiva linux 10.0.0
Suse linux_personal 9.2.0
Suse beagle 10.0.0
Suse linux_professional 10.0.0
Mozilla browser 1.6.0
Mozilla browser 1.7.0 Rc3
Mozilla firefox 1.0.4
Suse linux_desktop 1.0.0

HTTP:ORACLE:GLASSFISH-MUL-XSS - HTTP: Oracle GlassFish Enterprise Server Multiple Stored Cross Site Scripting

Severity: HIGH

Description:

This signature detects attempts to exploit multiple known cross-site scripting vulnerabilities in Oracle GlassFish. A successful attack can result in the compromise of Web browser cookies associated with the site, and modification of user information.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 53136
cve: CVE-2012-0551

Affected Products:

Sun jre_(linux_production_release) 1.6.0
Sun jre_(solaris_production_release) 1.6.0_21
Red_hat enterprise_linux_supplementary 5 Server
Red_hat enterprise_linux_desktop_supplementary 6
Sun jdk_(solaris_production_release) 1.6.0_24
Red_hat enterprise_linux_hpc_node_supplementary 6
Sun jdk_(solaris_production_release) 1.6.0 10
Sun jdk_(windows_production_release) 1.6.0 10
Red_hat enterprise_linux_server_supplementary 6
Red_hat enterprise_linux_workstation_supplementary 6
Sun jdk_(solaris_production_release) 1.6.0 14
Sun jdk_(windows_production_release) 1.6.0 14
Sun jdk_(solaris_production_release) 1.6.0 13
Sun jdk_(windows_production_release) 1.6.0 13
Sun jdk_(solaris_production_release) 1.6.0 11
Sun jdk_(windows_production_release) 1.6.0 11
Sun jre_(linux_production_release) 1.6.0 13
Sun jdk_(solaris_production_release) 1.6.0 05
Sun jdk_(windows_production_release) 1.6.0 05
Sun jdk_(windows_production_release) 1.6.0 06
Sun jdk_(solaris_production_release) 1.6.0 06
Sun jdk_(solaris_production_release) 1.6.0 07
Sun jdk_(windows_production_release) 1.6.0 07
Sun jdk_(solaris_production_release) 1.6.0
Sun jdk_(linux_production_release) 1.6.0 13
Sun jdk_(solaris_production_release) 1.7.0
Sun jdk_(windows_production_release) 1.7.0
Sun jdk_(linux_production_release) 1.6.0 Update 10
Sun jdk_(linux_production_release) 1.6.0 Update 11
Sun jdk_(linux_production_release) 1.6.0 Update 12
Sun jdk_(linux_production_release) 1.6.0 Update 13
Sun jdk_(linux_production_release) 1.6.0 Update 14
Sun jdk_(linux_production_release) 1.6.0 Update 15
Sun jdk_(linux_production_release) 1.6.0 Update 16
Sun jdk_(linux_production_release) 1.6.0 Update 17
Sun jdk_(linux_production_release) 1.6.0 Update 18
Sun jdk_(linux_production_release) 1.6.0 Update 19
Sun jre_(solaris_production_release) 1.6.0
Sun jre_(windows_production_release) 1.6.0
Sun jre_(solaris_production_release) 1.6.0 10
Sun jre_(windows_production_release) 1.6.0 10
Sun jdk_(linux_production_release) 1.6.0 Update 5
Sun jdk_(linux_production_release) 1.6.0 Update 6
Sun jdk_(linux_production_release) 1.6.0 Update 7
Sun jre_(solaris_production_release) 1.6.0 12
Sun jre_(windows_production_release) 1.6.0 12
Sun jre_(solaris_production_release) 1.6.0 13
Sun jre_(windows_production_release) 1.6.0 13
Sun jre_(solaris_production_release) 1.6.0 04
Sun jre_(windows_production_release) 1.6.0 04
Sun jre_(solaris_production_release) 1.6.0 05
Sun jre_(windows_production_release) 1.6.0 05
Sun jre_(solaris_production_release) 1.6.0 06
Sun jre_(windows_production_release) 1.6.0 06
Sun jre_(solaris_production_release) 1.6.0 07
Sun jre_(windows_production_release) 1.6.0 07
Sun jdk_(linux_production_release) 1.6.0 14
Apple mac_os_x 10.7.4
Apple mac_os_x_server 10.7.4
Hp hp-ux B.11.31
Sun jdk_(linux_production_release) 1.6.0_26
Sun jdk_(windows_production_release) 1.6.0 18
Sun jdk_(solaris_production_release) 1.6.0 18
Sun jdk_(linux_production_release) 1.6.0 18
Sun jre_(linux_production_release) 1.6.0 18
Sun jre_(windows_production_release) 1.6.0 18
Sun jre_(solaris_production_release) 1.6.0 18
Sun jdk_(solaris_production_release) 1.6.0_26
Sun jdk_(linux_production_release) 1.6.0 04
Sun jdk_(windows_production_release) 1.6.0_26
Sun jdk_(linux_production_release) 1.6.0_21
Sun jdk_(linux_production_release) 1.6.0_22
Sun jdk_(solaris_production_release) 1.6.0 04
Sun jdk_(solaris_production_release) 1.6.0_21
Sun jdk_(solaris_production_release) 1.6.0_22
Sun jdk_(windows_production_release) 1.6.0_21
Sun jdk_(windows_production_release) 1.6.0 04
Sun jre_(linux_production_release) 1.6.0_24
Sun jre_(linux_production_release) 1.6.0_21
Sun jre_(linux_production_release) 1.6.0_22
Sun jdk_(linux_production_release) 1.6.0_24
Sun jdk_(linux_production_release) 1.6.0_25
Sun jre_(solaris_production_release) 1.6.0_22
Sun jdk_(windows_production_release) 1.6.0_25
Sun jdk_(windows_production_release) 1.6.0_24
Sun jre_(linux_production_release) 1.6.0_25
Sun jre_(windows_production_release) 1.6.0_21
Sun jre_(windows_production_release) 1.6.0_22
Sun jre_(solaris_production_release) 1.6.0_24
Sun jre_(windows_production_release) 1.6.0_25
Sun jre_(windows_production_release) 1.6.0_24
Sun jre_(solaris_production_release) 1.6.0_25
Apple mac_os_x 10.6.8
Apple mac_os_x_server 10.6.8
Hp hp-ux B.11.11
Sun jre_(linux_production_release) 1.6.0_31
Sun jre_(solaris_production_release) 1.6.0_31
Sun jre_(windows_production_release) 1.6.0_31
Sun jdk_(linux_production_release) 1.6.0 02
Sun jdk_(windows_production_release) 1.6.0 02
Sun jre_(linux_production_release) 1.6.0 04
Sun jre_(linux_production_release) 1.6.0 02
Sun jre_(solaris_production_release) 1.6.0 01
Sun jdk_(linux_production_release) 1.6.0
Sun jre_(windows_production_release) 1.6.0 01
Sun jre_(windows_production_release) 1.6.0 02
Sun jre_(linux_production_release) 1.6.0 20
Sun jre_(windows_production_release) 1.6.0 20
Sun jre_(linux_production_release) 1.6.0 19
Sun jre_(linux_production_release) 1.6.0 07
Sun jdk_(linux_production_release) 1.6.0 07
Sun jdk_(solaris_production_release) 1.6.0 19
Sun jdk_(windows_production_release) 1.6.0 19
Sun jdk_(linux_production_release) 1.6.0 19
Sun jdk_(solaris_production_release) 1.6.0 03
Sun jdk_(linux_production_release) 1.6.0 03
Sun jre_(linux_production_release) 1.6.0 15
Sun jdk_(windows_production_release) 1.6.0
Sun jdk_(windows_production_release) 1.6.0 03
Sun jre_(linux_production_release) 1.6.0 03
Sun jre_(solaris_production_release) 1.6.0 03
Sun jre_(windows_production_release) 1.6.0 03
Sun jre_(linux_production_release) 1.6.0 12
Sun jdk_(solaris_production_release) 1.6.0 02
Sun jdk_(linux_production_release) 1.6.0 06
Sun jdk_(linux_production_release) 1.6.0 05
Sun jre_(linux_production_release) 1.6.0 05
Sun jre_(windows_production_release) 1.7.0_4
Sun jdk_(solaris_production_release) 1.6.0_25
Sun jdk_(linux_production_release) 1.6.0_27
Sun jdk_(solaris_production_release) 1.6.0_27
Sun jdk_(windows_production_release) 1.6.0_27
Sun jre_(linux_production_release) 1.6.0_27
Sun jre_(solaris_production_release) 1.6.0_27
Sun jre_(windows_production_release) 1.6.0_27
Sun jre_(linux_production_release) 1.7
Sun jre_(solaris_production_release) 1.7
Sun jre_(windows_production_release) 1.7
Sun jre_(linux_production_release) 1.6.0 10
Sun jre_(linux_production_release) 1.6.0 06
Sun jdk_(linux_production_release) 1.6.0_28
Sun jdk_(solaris_production_release) 1.6.0_28
Sun jdk_(windows_production_release) 1.6.0_28
Red_hat enterprise_linux_desktop_supplementary 5 Client
Sun jre_(linux_production_release) 1.7.0_4
Sun jre_(linux_production_release) 1.6.0_28
Sun jre_(solaris_production_release) 1.6.0_28
Sun jre_(windows_production_release) 1.6.0_28
Sun jre_(windows_production_release) 1.6.0_32
Sun jre_(linux_production_release) 1.6.0_32
Sun jdk_(windows_production_release) 1.6.0 01
Sun jdk_(linux_production_release) 1.6.0 01
Sun jdk_(windows_production_release) 1.7.0_4
Sun jdk_(solaris_production_release) 1.6.0_32
Sun jdk_(linux_production_release) 1.6.0_23
Sun jdk_(windows_production_release) 1.6.0_32
Sun jdk_(windows_production_release) 1.6.0_23
Sun jre_(linux_production_release) 1.6.0_23
Sun jre_(solaris_production_release) 1.6.0_23
Sun jre_(windows_production_release) 1.6.0_23
Sun jdk_(linux_production_release) 1.6.0 17
Hp hp-ux B.11.23
Sun jdk_(linux_production_release) 1.6.0 Update 20
Sun jdk_(solaris_production_release) 1.6.0 01
Sun jdk_(linux_production_release) 1.6.0 Update 21
Sun jdk_(linux_production_release) 1.6.0 01-B06
Sun jre_(linux_production_release) 1.6.0 01
Sun jdk_(linux_production_release) 1.6.0 Update 3
Sun jdk_(linux_production_release) 1.6.0_30
Sun jdk_(windows_production_release) 1.7.0_2
Sun jdk_(linux_production_release) 1.6.0 Update 4
Sun jdk_(windows_production_release) 1.6.0_30
Sun jdk_(solaris_production_release) 1.6.0_30
Sun jdk_(solaris_production_release) 1.7.0_2
Sun jre_(linux_production_release) 1.6.0_30
Sun jre_(linux_production_release) 1.6.0_26
Sun jre_(solaris_production_release) 1.6.0 02
Sun jre_(solaris_production_release) 1.7.0_2
Sun jre_(windows_production_release) 1.6.0_30
Sun jre_(windows_production_release) 1.6.0_26
Sun jre_(linux_production_release) 1.7.0_2
Sun jre_(solaris_production_release) 1.6.0_30
Sun jdk_(linux_production_release) 1.6.0 15
Sun jdk_(windows_production_release) 1.6.0 15
Sun jdk_(solaris_production_release) 1.6.0 15
Sun jre_(solaris_production_release) 1.6.0 15
Sun jre_(windows_production_release) 1.6.0 15
Sun jdk_(windows_production_release) 1.6.0 20
Sun jdk_(solaris_production_release) 1.6.0 20
Sun jdk_(linux_production_release) 1.6.0 20
Sun jre_(solaris_production_release) 1.7.0_4
Sun jdk_(linux_production_release) 1.7.0_2
Sun jre_(linux_production_release) 1.6.0 14
Sun jre_(windows_production_release) 1.6.0 14
Sun jre_(solaris_production_release) 1.6.0 14
Sun jdk_(solaris_production_release) 1.6.0 17
Sun jdk_(solaris_production_release) 1.6.0_23
Oracle glassfish_enterprise_server 3.1.1
Sun jdk_(linux_production_release) 1.7.0_4
Sun jre_(solaris_production_release) 1.6.0_32
Sun jre_(solaris_production_release) 1.6.0 2
Sun jdk_(solaris_production_release) 1.7.0_4
Sun jre_(windows_production_release) 1.6.0 2
Sun jdk_(linux_production_release) 1.6.0_32
Sun jdk_(windows_production_release) 1.6.0 01-B06
Sun jre_(solaris_production_release) 1.6.0_26
Sun jre_(windows_production_release) 1.6.0 19
Sun jre_(windows_production_release) 1.7.0_2
Sun jre_(solaris_production_release) 1.6.0 19
Sun jre_(linux_production_release) 1.6.0 17
Sun jre_(solaris_production_release) 1.6.0 17
Sun jdk_(windows_production_release) 1.6.0_22
Sun jre_(windows_production_release) 1.6.0 17
Sun jre_(linux_production_release) 1.6.0 11
Sun jre_(solaris_production_release) 1.6.0 11
Sun jre_(windows_production_release) 1.6.0 11
Sun jdk_(windows_production_release) 1.6.0 17
Sun jdk_(linux_production_release) 1.7.0
Sun jdk_(linux_production_release) 1.6.0 10
Sun jdk_(linux_production_release) 1.6.0 11
Sun jdk_(solaris_production_release) 1.6.0 01-B06

HTTP:IIS:PROPFIND - HTTP: IIS Malformed PROPFIND Remote DoS

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft IIS 5.0. Attackers can send malicious "PROPFIND" requests to the server to crash it.

Supported On:

References:

url: http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx
url: http://oval.mitre.org/oval/definitions/data/oval933.html
bugtraq: 7735
cve: CVE-2003-0226

Affected Products:

Microsoft iis 5.1
Microsoft iis 5.0

HTTP:HPE-INT-MGMT-INJ - HTTP: HPE Intelligent Management Center ictExpertDownload Expression Language Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HPE Intelligent Management Center. The vulnerability is due to insufficient handling of the beanName request parameter on ictExpertDownload.xhtml. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary code under the security context of the SYSTEM user.

Supported On:

References:

cve: CVE-2017-12500

Affected Products:

Hp intelligent_management_center 7.3

HTTP:CGI:ANYFORM-SEMICOLON - HTTP: Anyform Semicolon

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against AnyForm CGI script. AnyForm is a popular CGI form designed to support simple forms that deliver responses through e-mail. Some versions of AnyForm do not perform user supplied data sanity checking, and can allow remote execution of arbitrary commands on the server.

Supported On:

References:

bugtraq: 719
cve: CVE-1999-0066

Affected Products:

John_s._roberts anyform 1.0.0
John_s._roberts anyform 2.0.0

VOIP:SKYPE:VERSION-CHECK - SKYPE: Client Version Check

Severity: INFO

Description:

This signature detects a Skype client request (to a central server) that checks for the latest version of the client software.

Supported On:

References:

url: http://www.skype.com

HTTP:MISC:MOBY-LENGTH-DOS - HTTP: Moby Malformed Content-Length DoS

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against the Moby NetSuite. Attackers can send a maliciously crafted HTTP POST request that contains an invalid Content-Length field to the host to crash the Web server.

Supported On:

References:

HTTP:CGI:LIBCGI-RFP-OVERWRITE - HTTP: LIB CGI Remote Frame Pointer Overwrite

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in LIB CGI. Attackers can inject maliciously crafted C code into LIB CGI applications to overwrite the Frame Pointer and execute arbitrary code on the host.

Supported On:

References:

url: http://www.securityfocus.com/archive/1/301365
cve: CVE-2002-2251

P2P:BITTORRENT:TRACKER-QUERY - P2P: BitTorrent Tracker Query

Severity: INFO

Description:

This signature detects requests to a BitTorrent tracker Web site. Users can be querying the tracker to look for files to download.

Supported On:

idp-5.1.110161014, DI-Client, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

url: http://wiki.theory.org/index.php/BitTorrentSpecification

HTTP:STC:DL:MAL-WRI - HTTP: Microsoft WordPad Malicious File

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against the Microsoft Word Document Convertor. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 43122
cve: CVE-2010-2563

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_xp_home
Microsoft windows_xp
Microsoft windows_xp_64-bit_edition SP1
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_xp_tablet_pc_edition SP2
Avaya messaging_application_server
Avaya messaging_application_server MM 3.0
Avaya messaging_application_server MM 3.1
Microsoft windows_server_2003_x64 SP2
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Avaya messaging_application_server MM 1.1
Microsoft windows_xp_home SP1
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya callpilot_unified_messaging
Microsoft windows_xp_64-bit_edition
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Microsoft windows_xp
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003 SP1
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional_x64_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2003_x64 SP1
Microsoft windows_server_2003 SP2
Microsoft windows_server_2003_standard_edition
Microsoft windows_xp_professional
Avaya meeting_exchange-webportal
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_server_2003_enterprise_edition
Avaya messaging_application_server MM 2.0
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp_media_center_edition SP1

HTTP:HOTMAIL:FILE-DOWNLOAD - HTTP: MSN Hotmail File Download

Severity: INFO

Description:

This signature detects attempts by users to download attachments from MSN Hotmail. MSN Hotmail is a web-based email application that allows users to send and receive emails with attachments. This may be a violation of your organization's Acceptable Use Policy.

Supported On:

HTTP:HOTMAIL:ZIP-DOWNLOAD - HTTP: MSN Hotmail Compressed File Extension Download

Severity: INFO

Description:

This signature detects attempts by users to download potentially compressed attachments from MSN Hotmail. Compressed files could contain hazardous executables (viruses often send their malicious payloads compressed in a .zip file). MSN Hotmail is a web-based email application that allows users to send and receive emails with attachments. This may be a violation of your organization's Acceptable Use Policy.

Supported On:

HTTP:STC:DL:VISIO-BOF - HTTP: Malformed Microsoft Office Visio File

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Office Visio file format. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the client.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2009-0096
cve: CVE-2009-0097

Affected Products:

Microsoft visio_2003_professional
Microsoft visio_2003 SP3
Microsoft visio_2002 SP2
Microsoft visio_2003 SP2
Microsoft visio_2002_professional SP2
Microsoft visio_2002_standard SP2
Microsoft visio_2003_standard
Microsoft visio_2002
Microsoft visio_2003
Microsoft visio_2003 SP1
Microsoft visio_2007
Microsoft visio_2007 SP1
Microsoft visio_2002 SP1

HTTP:XSS:SYMANTEC-WG - HTTP: Symantec Web Gateway Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a cross-site scripting vulnerability in Symantec Web Gateway. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 53396
cve: CVE-2012-0296

Affected Products:

Symantec web_gateway 5.0
Symantec web_gateway 5.0.1

HTTP:STC:JAVA:RUNTIME-ENV-BO - HTTP: Sun Java RunTime Environment Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Sun Java RunTime Environment. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 21673
cve: CVE-2006-6737
cve: CVE-2006-6745
bugtraq: 21675
cve: CVE-2006-6731

Affected Products:

Sun jre_(linux_production_release) 1.4.2 06
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Suse suse_linux_enterprise_server 8
Avaya integrated_management
Red_hat enterprise_linux_ws 2.1 IA64
Red_hat enterprise_linux_as 2.1 IA64
Red_hat enterprise_linux_es 2.1 IA64
Avaya interactive_response 2.0
Suse open-enterprise-server
Bea_systems jrockit 3.1.5
Bea_systems jrockit 8.1.0
Bea_systems jrockit 8.0.0
Sun jre_(linux_production_release) 1.3.1 08
Bea_systems jrockit 1.4.2
Bea_systems jrockit 3.1.4 .1
Bea_systems jrockit 3.1.4
Bea_systems jrockit 3.1.3
Bea_systems jrockit 3.1.2
Bea_systems jrockit 3.1.1
Suse suse_linux_enterprise_sdk 10
Hp hp-ux B.11.11
Sun sdk_(linux_production_release) 1.5.0_03
Sun sdk_(linux_production_release) 1.5.0_02
Sun jre_(linux_production_release) 1.5.0 01
Sun jre_(linux_production_release) 1.5.0 02
Sun jre_(linux_production_release) 1.5.0 05
Sun sdk_(linux_production_release) 1.5.0_01
Red_hat enterprise_linux_as 2.1
Red_hat enterprise_linux_es 2.1
Red_hat enterprise_linux_ws 2.1
Sun sdk_(linux_production_release) 1.4.2 06
Sun sdk_(linux_production_release) 1.4.2 07
Sun jre_(linux_production_release) 1.4.2 08
Apple mac_os_x_server 10.4.10
Hp hp-ux B.11.23
Bea_systems jrockit 1.4.2 R4.5
Suse novell_linux_pos 9
Sun sdk_(linux_production_release) 1.4.2 05
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_retail_solution 8.0.0
Suse suse_linux_standard_server 8.0.0
Avaya predictive_dialer
Sun jre_(linux_production_release) 1.3.1 01
Apple mac_os_x 10.4.10
Sun jre_(linux_production_release) 1.3.1 15
Sun sdk_(linux_production_release) 1.4.2 01
Sun sdk_(linux_production_release) 1.4.2 03
Sun jre_(linux_production_release) 1.4.2 04
Sun sdk_(linux_production_release) 1.4.2 08
Sun sdk_(linux_production_release) 1.4.2 04
Sun jre_(linux_production_release) 1.5.0 03
Sun jre_(linux_production_release) 1.5.0 04
Gentoo linux
Sun sdk_(linux_production_release) 1.5.0
Sun jre_(linux_production_release) 1.3.1 16
Sun jre_(linux_production_release) 1.4.2 03
Sun jre_(linux_production_release) 1.3.1 01A
Red_hat enterprise_linux_extras 3
Red_hat enterprise_linux_extras 4
Suse suse_linux_enterprise_server 10
Avaya cvlan
Suse suse_linux_enterprise_server 9
Sun jre_(linux_production_release) 1.4.2 11
Sun jre_(linux_production_release) 1.4.2 10-B03
Bea_systems jrockit 7.0.0
Sun jre_(linux_production_release) 1.4.2 02
Sun sdk_(linux_production_release) 1.4.2 02
Sun jre_(linux_production_release) 1.4.2 05
Sun jre_(linux_production_release) 1.4.2 01
Avaya interactive_response 1.3.0
Sun jre_(linux_production_release) 1.4.2 07
Sun jre_(linux_production_release) 1.3.1 18
Sun jre_(linux_production_release) 1.5.0 07
Sun sdk_(linux_production_release) 1.5.0_07
Sun jre_(linux_production_release) 1.4.2 09
Sun jre_(linux_production_release) 1.3.1 17
Apple mac_os_x 10.4.11
Apple mac_os_x_server 10.4.11
Sun jre_(linux_production_release) 1.3.1 04

FTP:USER:ACFTP-BAD-LOGIN - FTP: acFTP Invalid Login Issue

Severity: LOW

Description:

acFTP contains a flaw during the authentication process that allows a malicious user to login with the username "private" and invalid password. The login will fail, but all activity performed after this will be masked as this user. This can the attacker to log in as another user, and perform illegal operations withing having to worry about being logged.

Supported On:

References:

url: http://www.security.nnov.ru/search/document.asp?docid=3805

SPYWARE:KL:ELITEKEYLOGGER - SPYWARE: EliteKeylogger

Severity: HIGH

Description:

This signature detects the runtime behavior of spyware EliteKeylogger, also known as SKL0.1. This spyware silently monitors and records user activity, including keystrokes and Windows names. It also has the ability to e-mail its log records.

Supported On:

References:

HTTP:STC:DL:ACDSEE-XBM-WIDTH - HTTP: ACD Systems ACDSee Products XBM File Handling Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in ACD Systems ACDSee. A code execution vulnerability exists in multiple ACDSee products. The flaw is due to a boundary error when processing crafted X Bitmap Graphic (XBM) files. A remote unauthenticated attacker can exploit this vulnerability by persuading the target user to open a malicious XBM file with the affected application. A successful attack could allow for arbitrary code being injected and executed with the privileges of the currently logged on user.

Supported On:

References:

bugtraq: 37685

Affected Products:

Acd_systems_inc acdsee_photo_manager 8.1
Acd_systems_inc acdsee_photo_editor 4.0
Acd_systems_inc acdsee_photo_editor_2008 build 286
Acd_systems_inc acdsee_photo_manager 8.1 build 99
Acd_systems_inc acdsee_photo_manager 9.0 build 108
Acd_systems_inc acdsee_photo_manager 9.0

HTTP:IIS:MDAC-RDS - HTTP: Microsoft IIS MDAC Remote Data Services Component Access

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Data Access Components (MDAC) Remote Data Services (RDS) component. A successful attacker can access files and other services.

Supported On:

idp-5.1.110161014, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 529
url: http://www.microsoft.com/technet/security/bulletin/fq99-025.asp
cve: CVE-1999-1011
url: http://support.microsoft.com/support/kb/articles/q184/3/75.asp
url: http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html
bugtraq: 6214
cve: CVE-2002-1142

Affected Products:

Microsoft data_access_components_(mdac) 2.1 CLEAN
Microsoft data_access_components_(mdac) 2.1 UPGRADE
Microsoft site_server 3.0 i386
Microsoft site_server_commerce_edition 3.0 i386
Microsoft index_server 2.0
Microsoft data_access_components_(mdac) 2.1
Microsoft data_access_components_(mdac) 1.5
Microsoft data_access_components_(mdac) 2.0
Microsoft iis 3.0
Microsoft iis 4.0

HTTP:IIS:JET-DB-VBA-REMOTE-EXEC - HTTP: IIS JET Database Engine VBA Remote Execution

Severity: HIGH

Description:

This signature detects attempts to execute arbitrary commands using the Microsoft JET Database VBA Engine. A successful attack can allow an attacker to execute arbitrary code with privileges of the Web application and unauthorized access to a vulnerable system.

Supported On:

References:

bugtraq: 286
url: http://support.microsoft.com/default.aspx?scid=kb;en-us;282010#2
url: http://www.juniper.net/security/auto/vulnerabilities/vuln856.html
cve: CVE-2000-0325

Affected Products:

Microsoft iis 4.0
Microsoft jet 3.51
Microsoft jet 3.5

HTTP:OVERFLOW:MULTIPLE-PRODUCTS - HTTP: Multiple Products Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Multiple Products. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted daemon.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

HTTP:APACHE:AXIS-SOAP-DOS - HTTP: Apache Axis Multiple Vendor SOAP Arrays Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against multiple vendors using Apache Axis. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 9877
cve: CVE-2004-1815

Affected Products:

Macromedia jrun 4.0.0 SP1
Sun one_application_server 7.0.0 Platform Edition
Sun one_application_server 7.0.0 Standard Edition
Macromedia jrun 4.0.0 SP1a
Macromedia jrun 4.0.0
Sun one_application_server 7.0.0 UR1 Platform Edition
Sun one_application_server 7.0.0 UR1 Standard Edition
Sun one_application_server 7.0.0 UR2 Upgrade Platform
Sun one_application_server 7.0.0 UR2 Upgrade Standard
Macromedia jrun 4.0.0 build 61650
Macromedia coldfusion_mx 6.0.0
Macromedia coldfusion_mx 6.1.0
Macromedia coldfusion_mx_j2ee 6.1.0
Macromedia coldfusion_mx_j2ee 6.0.0
Sun one_application_server 7.0.0 UR2 Standard Edition
Sun one_application_server 7.0.0 UR2 Platform Edition

HTTP:PHP:PHPNUKE:SID-SQL-INJECT - HTTP: PHP-Nuke Modules.php SID Parameter SQL Injection

Severity: MEDIUM

Description:

This signature detects SQL injection attempts against PHPNuke. PHPNuke versions 7.2 and earlier are vulnerable. Attackers can include a maliciously crafted SID parameter in a query to modules.php, causing the php script to run arbitrary SQL commands.

Supported On:

References:

bugtraq: 10282
url: http://www.zone.ee/waraxe/?modname=sa&id=027

Affected Products:

Francisco_burzi php-nuke 6.5.0 RC2
Francisco_burzi php-nuke 6.6.0
Francisco_burzi php-nuke 6.5.0 FINAL
Francisco_burzi php-nuke 7.0.0 FINAL
Francisco_burzi php-nuke 7.2.0
Francisco_burzi php-nuke 6.5.0 BETA 1
Francisco_burzi php-nuke 6.9.0
Francisco_burzi php-nuke 6.5.0 RC1
Francisco_burzi php-nuke 6.5.0 RC3
Francisco_burzi php-nuke 6.5.0
Francisco_burzi php-nuke 6.0.0
Francisco_burzi php-nuke 7.1.0
Francisco_burzi php-nuke 6.7.0
Francisco_burzi php-nuke 7.0.0

HTTP:SQL:INJ:MULTI-VENDORS-1 - HTTP: Multiple Vendors SQL Injection Detected (1)

Severity: MEDIUM

Description:

This signature detects specific characters, typically used in SQL procedures, within an HTTP connection. Because these characters are not normally used in HTTP, this can indicate a SQL injection attack through a procedure. However, it can be a false positive. To reduce False Positives, it is strongly recommended that these signatures only be used to inspect traffic from the Internet to your organization's web servers that use SQL backend databases to generate content and not to inspect traffic going from your organization to the Internet.

Supported On:

References:

cve: CVE-2012-5874
cve: CVE-2012-6560

Affected Products:

Elite-board elite_bulletin_board 2.1.18
Elite-board elite_bulletin_board 2.1.2
Elite-board elite_bulletin_board 2.1.19
Elite-board elite_bulletin_board 2.1.3
Elite-board elite_bulletin_board 2.0.1
Elite-board elite_bulletin_board 2.0.0
Elite-board elite_bulletin_board 2.0.3
Elite-board elite_bulletin_board 2.0.2
Elite-board elite_bulletin_board 2.1.12
Elite-board elite_bulletin_board up to 2.1.21
Elite-board elite_bulletin_board 2.1.13
Elite-board elite_bulletin_board 2.1.10
Elite-board elite_bulletin_board 2.1.8
Elite-board elite_bulletin_board 2.1.11
Elite-board elite_bulletin_board 2.1.9
Elite-board elite_bulletin_board 2.1.16
Elite-board elite_bulletin_board 2.1.17
Elite-board elite_bulletin_board 2.1.14
Elite-board elite_bulletin_board 2.1.4
Elite-board elite_bulletin_board 2.1.15
Elite-board elite_bulletin_board 2.1.5
Elite-board elite_bulletin_board 2.1.20
Elite-board elite_bulletin_board 2.1.6
Elite-board elite_bulletin_board 2.1.7
Elite-board elite_bulletin_board 2.1.0
Elite-board elite_bulletin_board 2.1.1

HTTP:SQL:INJ:MULTI-VENDORS-2 - HTTP: Multiple Vendors SQL Injection Detected (2)

Severity: MEDIUM

Description:

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

HTTP:MISC:MUL-VEND-IMPRO-ACCESS - HTTP: Multiple Vendors Unauthorized Access Vulnerability

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Vendors. Attackers may bypass security restrictions to gain unauthorized access to user accounts

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

HTTP:MISC:PRDCTS-COMMAND-EXEC - HTTP: Multiple Products Remote Command Execution

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Vendors. A successful exploit can lead to remote command execution.

Supported On:

References:

cve: CVE-2014-6389

Affected Products:

Phpcompta phpcompta%2fnoalyss 6.7.1

HTTP:STC:M3U-VLC-SMB-LINK - HTTP: VideoLAN VLC Media Player SMB Link Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the VideoLAN VLC Media Player. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the client.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 35500
cve: CVE-2009-2484

Affected Products:

Videolan vlc_media_player 1.0.1
Videolan vlc_media_player 0.9.9
Videolan vlc_media_player 1.0.0

HTTP:STC:STREAM:QT-DESC-ATOM - HTTP: Apple QuickTime Image Descriptor Atom Parsing Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apple QuickTime Player. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 27299
cve: CVE-2008-0033

Affected Products:

Apple quicktime_player 7.1.2
Apple quicktime_player 7.1
Apple quicktime_player 7.1.6
Apple quicktime_player 7.1.4
Apple quicktime_player 7.0.2
Apple quicktime_player 7.0.3
Apple quicktime_player 7.1.5
Apple quicktime_player 7.3
Apple quicktime_player 7.2
Apple quicktime_player 7.0.1
Apple quicktime_player 7.0.4
Apple quicktime_player 7.0.0
Apple quicktime_player 7.1.3
Apple quicktime_player 7.1.1

APP:JBOSS-JMX-AUTH-BYPASS - APP: RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known authentication bypass vulnerability in the RedHat JBoss Enterprise Application Platform JMX Console. This is caused by the authentication policy within the application that only enforces restrictions for GET and POST methods, other HTTP request verbs bypass authentication. Unauthenticated remote attackers can exploit this to gain administrative access to JBoss JMX management console and to upload and execute arbitrary Java code within the security context of the JBoss server process, normally SYSTEM on Windows platforms.

Supported On:

References:

bugtraq: 39710
url: https://rhn.redhat.com/errata/RHSA-2010-0378.html
cve: CVE-2010-0738
cve: CVE-2007-1036
bugtraq: 72432
cve: CVE-2014-7883
url: http://www.redteam-pentesting.de/publications/jboss

Affected Products:

Red_hat jboss_enterprise_application_platform 4.3.0 EL4
Red_hat jboss_enterprise_application_platform 4.2.0 EL5
Red_hat jboss_enterprise_application_platform 5.0.0
Red_hat jboss_enterprise_application_platform 4.2.0
Hp business_availability_center 8.06
Red_hat jboss_enterprise_application_platform 5 EL5
Red_hat jboss_enterprise_application_platform 5 EL4
Hp business_availability_center 8.05
Red_hat jboss_enterprise_application_platform 5 EL6
Red_hat jboss_application_server 5.0.0
Red_hat jboss_enterprise_application_platform 5.1.0
Red_hat jboss_enterprise_application_platform 4.3.0
Hp business_availability_center 8.01
Red_hat jboss_enterprise_application_platform 4.3.0 EL5
Red_hat jboss_enterprise_application_platform 4.2.0 EL4
Hp business_availability_center
Hp business_availability_center 6
Hp business_availability_center 8.07
Hp business_service_management 9.12
Hp business_availability_center 7.55
Hp business_service_management 9.01
Red_hat jboss_application_server 5
Red_hat jboss_application_server 5.X
Red_hat jboss_enterprise_application_platform 5.1.1

TROJAN:PITTY-TIGER-ACTIVITY - TROJAN: Pitty Tiger Trojan C&C Activity Detected

Severity: CRITICAL

Description:

This signature detects the activity of the Pitty Tiger Trojan family. A successful exploit infects the host by dropping and executing a malware with currently logged-in user credentials.

Supported On:

HTTP:STC:IE:HDRLOC-MSITS - HTTP: Internet Explorer Arbitrary Code Execution

Severity: HIGH

Description:

This signature detects an HTTP redirect response that contains a maliciously crafted location header. Attackers can trigger the malicious header when attempting to exploit a known vulnerability in Microsoft Internet Explorer 6.

Supported On:

References:

url: http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
url: http://www.kb.cert.org/vuls/id/713878
bugtraq: 10473
cve: CVE-2004-0549

Affected Products:

Microsoft internet_explorer 5.5 SP1
Microsoft internet_explorer 5.0.1 SP4
Microsoft internet_explorer 6.0
Microsoft internet_explorer 5.5 SP2
Microsoft internet_explorer 5.0.1
Microsoft internet_explorer 6.0 SP1
Microsoft internet_explorer 5.0.1 SP1
Microsoft internet_explorer 5.0.1 SP2
Microsoft internet_explorer 5.5
Microsoft internet_explorer 5.0.1 SP3

HTTP:STC:IMG:EXE-IN-IMAGE - HTTP: Executable Binary Disguised as Image

Severity: HIGH

Description:

This signature detects attempts to download an executable binary file disguised as an image. Attackers can disguise a malicious program (executable binary file) as an image on a Web page. When a user downloads the image to the local Web cache using a Web browser, the image does not display (because it is not a valid image file). Attackers can then exploit additional vulnerabilities to trick the user into running the malicious file from the Web cache.

Supported On:

References:

url: http://isc.sans.org/presentations/banking_malware.pdf
bugtraq: 12468
cve: CVE-2005-0230

Affected Products:

Netscape netscape 7.1.0
Suse linux_personal 9.3.0
Mozilla firefox 0.9.1
Mozilla thunderbird 1.0.1
Mozilla firefox 0.9.0
Mozilla thunderbird 0.9.0
Mozilla thunderbird 1.0.0
Mozilla firefox 0.10.1
Suse linux_personal 9.2.0
Suse linux_professional 9.2.0
Suse linux_professional 9.3.0
Suse linux_professional 9.3.0 X86 64
Suse linux_professional 9.2.0 X86 64
Suse linux_professional 9.1.0 X86 64
Suse linux_personal 9.1.0
Mozilla browser 1.7.4
Mozilla browser 1.7.5
Mozilla firefox 1.0.0
Mozilla browser 1.7.0 Rc2
Mozilla browser 1.7.0 Rc1
Mozilla thunderbird 0.7.1
Mozilla browser 1.7.0 Alpha
Suse linux_personal 9.2.0 X86 64
Suse linux_personal 9.1.0 X86 64
Netscape netscape 7.2.0
Mozilla browser 1.7.3
Mozilla thunderbird 0.8.0
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Netscape netscape 7.0.0
Mozilla browser 1.7.2
Mozilla firefox 0.9.3
Mozilla thunderbird 0.7.3
Mozilla thunderbird 0.6.0
Mozilla browser 1.7.0
Hp hp-ux B.11.11
Mozilla firefox 0.8.0
Hp hp-ux B.11.00
Suse linux_professional 9.1.0
Suse linux_personal 9.3.0 X86 64
Gentoo linux
Hp hp-ux B.11.22
Hp hp-ux B.11.23
Mozilla firefox 0.10.0
Suse linux_professional 10.0.0
Mozilla browser 1.7.1
Mozilla firefox 0.9.2
Mozilla thunderbird 0.7.2
Mozilla thunderbird 0.7.0
Mozilla browser 1.7.0 Beta
Mozilla browser 1.7.0 Rc3
Mozilla firefox 0.9.0 Rc

HTTP:APACHE:WEBDAV-PROPFIND - HTTP: Apache WebDav PROPFIND Directory Disclosure

Severity: LOW

Description:

This signature detects attempts to exploit a known vulnerability against the default configurations for Apache 1.3.12 in SuSE Linux 6.4. Attackers can use maliciously crafted WebDAV PROPFIND HTTP requests to list arbitrary directories on the affected server.

Supported On:

References:

bugtraq: 1656
cve: CVE-2000-0869

Affected Products:

Suse linux 6.3.0 alpha
Suse linux 7.0.0
Suse linux 6.4.0 Alpha
Suse linux 6.4.0 ppc
Suse linux 6.1.0
Suse linux 6.3.0
Apache_software_foundation apache 1.3.12
Suse linux 6.2.0
Suse linux 6.0.0
Suse linux 6.1.0 alpha
Suse linux 6.3.0 ppc
Suse linux 6.4.0

HTTP:STC:SAFARI:WEBKIT-1ST-LTR - HTTP: Apple Safari Webkit Button First-Letter Style Rendering Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known code execution vulnerability in Apple's Safari Webkit. It is due to a use after free error when processing "first-letter" CSS style. A remote attacker can exploit this by enticing a user to open a maliciously crafted file on a target system. A successful attack can result in arbitrary code execution with the privileges of the targeted user.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Apple safari 4
Apple safari 4 For Windows
Apple safari 4.0.4 For Windows
Apple safari 4.0.4
Apple iphone 2.1
Webkit_open_source_project webkit R51295
Apple ios 4.0.1
Ubuntu ubuntu_linux 10.04 Amd64
Ubuntu ubuntu_linux 10.04 I386
Ubuntu ubuntu_linux 10.04 Powerpc
Ubuntu ubuntu_linux 10.04 Sparc
Apple safari 4.0.5
Apple ipod_touch 2.0.1
Ubuntu ubuntu_linux 10.10 i386
Apple safari 4.0.5 For Windows
Webkit_open_source_project webkit 1.2.2
Webkit_open_source_project webkit 1.2.3
Apple ipod_touch 3.0
Apple safari 4.0.3
Apple ipad 3.2.2
Webkit_open_source_project webkit R52401
Apple ipod_touch 2.2
Webkit_open_source_project webkit 1.2.2-1
Ubuntu ubuntu_linux 10.10 powerpc
Webkit_open_source_project webkit
Apple ios 4.1
Apple safari 4.0.2 For Windows
Apple safari 4.0.3 For Windows
Mandriva linux_mandrake 2010.1 X86 64
Mandriva linux_mandrake 2010.1
Apple ipod_touch 2.0.2
Apple ipod_touch 2.1
Apple safari 4.0.1
Apple iphone 2.2
Apple ipad
Apple ios 3.2.1
Apple ios 3.2
Apple iphone 3.1
Apple iphone 2.0.2
Apple iphone 2.0.1
Ubuntu ubuntu_linux 10.10 amd64
Apple iphone 2.2.1
Apple ipod_touch 2.2.1
Apple ios 4.0.2
Apple ipad
Apple ios 3.2.2
Apple ipad 3.2
Apple ipad 3.2.1
Webkit_open_source_project webkit R52833
Apple ios 4.2 beta
Apple iphone 2.0
Suse opensuse 11.3
Apple iphone 3.0.1
Apple iphone 3.0
Apple safari 4 Beta
Apple ipod_touch 2.0
Ubuntu ubuntu_linux 9.10 Amd64
Ubuntu ubuntu_linux 9.10 I386
Ubuntu ubuntu_linux 9.10 Lpia
Ubuntu ubuntu_linux 9.10 Powerpc
Ubuntu ubuntu_linux 9.10 Sparc
Apple iphone 3.1.2
Apple iphone 3.1.3
Apple ipod_touch 3.1.2
Apple ipod_touch 3.1.3
Apple ipod_touch 3.1.1
Pardus linux_2009
Webkit_open_source_project webkit R38566
Apple safari 4.0.2

HTTP:XSS:SHAREPOINT-USER - HTTP: Microsoft Sharepoint User XSS

Severity: HIGH

Description:

This signature detects attempts to exploit a known cross site scripting vulnerability in Microsoft Sharepoint. A remote attacker can exploit this by enticing a target user to open a Sharepoint site. In a successful code injection attack, the behavior of the target host is entirely dependent on the intended function of the injected code and executes within the security context of the currently logged in user. If the attack is unsuccessful, the vulnerable application can terminate abnormally.

Supported On:

References:

bugtraq: 54313
bugtraq: 49620
cve: CVE-2012-1861

Affected Products:

Microsoft sharepoint_foundation_2010 SP1
Microsoft infopath 2007 SP3
Microsoft sharepoint_foundation_2010
Microsoft infopath 2010 SP1 (32-bit editions)
Microsoft infopath_2010
Microsoft infopath 2010 SP1 (64-bit editions)
Microsoft sharepoint_server_2010 SP1
Microsoft infopath_2007 SP2
Microsoft sharepoint_server_2010_standard_edition

HTTP:NETGEAR:DG834G-DEBUG-MODE - HTTP: Netgear DG834G Wireless Router Debug Mode Command

Severity: MEDIUM

Description:

This signature detects attempts to enable Debug mode on a Netgear DG834G wireless router. Debug mode enables a Telnet server on the device with no password protection. Attackers can send a command to the router enabling Debug mode, then login through Telnet without entering a password.

Supported On:

References:

url: http://www.securityfocus.com/archive/1/371575

SPYWARE:KL:CAM2FTP - SPYWARE: Cam2ftp

Severity: MEDIUM

Description:

This signature detects the runtime behavior of spyware Cam2ftp, a keylogger. This spyware captures images from a host Webcam and uploads the files to a remote computer using FTP.

Supported On:

References:

HTTP:STC:DL:XL-CVE-2013-1315 - HTTP: Microsoft Excel CVE-2013-1315 Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Excel. A successful attack can lead to memory corruption and arbitrary code execution.

Supported On:

References:

cve: CVE-2013-1315

Affected Products:

Microsoft office 2011 (:mac)
Microsoft office_web_apps 2010 (sp1)
Microsoft excel 2010 (sp2:~~~x86~~)
Microsoft sharepoint_services 2.0
Microsoft sharepoint_portal_server 2003 (sp3)
Microsoft sharepoint_server 2010 (sp1)
Microsoft sharepoint_foundation 2010 (sp2)
Microsoft sharepoint_server 2007 (sp3)
Microsoft sharepoint_server 2010 (sp2)
Microsoft excel_viewer
Microsoft excel 2003 (sp3)
Microsoft excel 2013 (:~~~x86~~)
Microsoft excel 2013 (:~~~x64~~)
Microsoft excel_2013_rt -
Microsoft sharepoint_services 3.0
Microsoft excel 2010 (sp1)
Microsoft excel 2010 (sp2:~~~x64~~)
Microsoft office_compatibility_pack (sp3)
Microsoft excel 2007 (sp3)
Microsoft sharepoint_foundation 2010 (sp1)

HTTP:SQL:INJ:OSCOM - HTTP: osCommerce products_id Parameter SQL Injection

Severity: LOW

Description:

This signature detects attempts to exploit a known SQL injection vulnerability in a script supplied as part of the osCommerce product. Attackers can submit an HTTP request that contains a maliciously formed "products_id" parameter to create a denial-of-service (DoS)condition.

Supported On:

References:

bugtraq: 9275
url: http://www.securityfocus.com/archive/1/348227
url: http://www.oscommerce.com/

Affected Products:

Oscommerce oscommerce 2.2.0 Ms1
Oscommerce oscommerce 2.2.0 ms2

HTTP:PHP:PHPNUKE:PRIV-ESC - HTTP: PHP-Nuke Remote Priviledge Escalation

Severity: LOW

Description:

This signature detects attempts to add an admin user to a PHP-Nuke database. Attackers can add an admin user by exploiting a vulnerability in the way PHP-Nuke parses certain HTTP POST requests to admin.php.

Supported On:

References:

url: http://archives.neohapsis.com/archives/bugtraq/2004-09/0032.html

HTTP:PHP:PHPNUKE:VIEWADMIN - HTTP: PHP-Nuke ViewAdmin Page Unauthorized Access

Severity: LOW

Description:

This signature detects attempts to make changes to the PHP-Nuke database. Attackers can make changes to the database by exploiting a vulnerability in the way PHP-Nuke parses certain HTTP POST requests to admin.php.

Supported On:

References:

HTTP:PHP:PHPNUKE:DELADMIN - HTTP: PHP-Nuke DelAdmin Page Unauthorized Access

Severity: LOW

Description:

Supported On:

References:

url: http://archives.neohapsis.com/archives/bugtraq/2004-09/0042.html

HTTP:CGI:AXIS-EXEC - HTTP: Axis Video Server Remote Command Execution

Severity: HIGH

Description:

This signature detects a request to an Axis Video Server containing parameters designed to cause arbitrary command execution on the server.

Supported On:

References:

url: http://www.axis.com/products/camera_servers/index.htm
url: http://www.securityfocus.com/archive/1/372630
bugtraq: 11011
url: http://www.securityfocus.com/archive/1/372643

Affected Products:

Axis_communications 2420_network_camera 2.33.0
Axis_communications 2400_video_server 2.0.0
Axis_communications 2400_video_server 1.12.0
Axis_communications 2100_network_camera 2.33.0
Axis_communications network_dvr 2460
Axis_communications serial_server 2490
Axis_communications mpeg-2_video_server 250S
Axis_communications 2401_video_server 1.0.0 1
Axis_communications 2401_video_server 1.15.0
Axis_communications 2401_video_server 2.20.0
Axis_communications 2401_video_server 2.31.0
Axis_communications 2401_video_server 2.32.0
Axis_communications 2401_video_server 2.33.0
Axis_communications 2420_network_camera 2.12.0
Axis_communications 2420_network_camera 2.31.0
Axis_communications 2420_network_camera 2.32.0
Axis_communications 2400_video_server 1.15.0
Axis_communications 2400_video_server 1.11.0
Axis_communications 2400_video_server 1.10.0
Axis_communications 2400_video_server 1.0.0 2
Axis_communications 2400_video_server 1.0.0 1
Axis_communications 2400_video_server 2.20.0
Axis_communications 2400_video_server 2.31.0
Axis_communications 2400_video_server 2.32.0
Axis_communications 2400_video_server 2.33.0
Axis_communications 2100_network_camera 2.12.0
Axis_communications 2100_network_camera 2.32.0
Axis_communications 2100_network_camera 2.31.0
Axis_communications 2100_network_camera 2.30.0
Axis_communications 2130_ptz_network_camera 2.32.0
Axis_communications 2110_network_camera 2.32.0
Axis_communications 2110_network_camera 2.34.0
Axis_communications 2120_network_camera 2.34.0
Axis_communications 2120_network_camera 2.32.0
Axis_communications 2100_network_camera 2.34.0
Axis_communications 2400_video_server 2.34.0
Axis_communications 2401_video_server 2.34.0
Axis_communications 2420_video_server 2.32.0
Axis_communications 2420_video_server 2.34.0
Axis_communications 2130_ptz_network_camera 2.34.0
Axis_communications 2460_network_dvr 3.10.0
Axis_communications 250s_video_server 3.0.0 3
Axis_communications 2420_network_camera 2.34.0
Axis_communications 2110_network_camera 2.31.0
Axis_communications 2110_network_camera 2.30.0
Axis_communications 2120_network_camera 2.30.0
Axis_communications 2120_network_camera 2.31.0
Axis_communications 2130_ptz_network_camera 2.31.0
Axis_communications 2130_ptz_network_camera 2.30.0
Axis_communications 2400_video_server 2.30.0
Axis_communications 2401_video_server 2.30.0
Axis_communications 2420_network_camera 2.30.0
Axis_communications 2100_network_camera 2.40.0
Axis_communications 2110_network_camera 2.40.0
Axis_communications 2110_network_camera 2.12.0
Axis_communications 2120_network_camera 2.12.0
Axis_communications 2120_network_camera 2.40.0
Axis_communications 2130_ptz_network_camera 2.40.0
Axis_communications 2420_network_camera 2.40.0
Axis_communications storpoint CD
Axis_communications 2400+_video_server 3.11.0
Axis_communications 2400+_video_server 3.12.0
Axis_communications 2401+_video_server 3.13.0
Axis_communications 2411_video_server 3.13.0
Axis_communications 250s_mpeg-2_video_server 3.10.0
Axis_communications 230_mpeg-2_video_server 3.11.0
Axis_communications 2460_network_dvr 3.11.0
Axis_communications 2490_serial_server 2.11.3
Axis_communications 2100_network_camera 2.41.0
Axis_communications 2110_network_camera 2.41.0
Axis_communications 2120_network_camera 2.41.0
Axis_communications 2420_network_camera 2.41.0
Axis_communications 2400+_blade_video_server 3.12.0
Axis_communications 2401+_video_server 3.12.0
Axis_communications 2401+_blade_video_server 3.12.0
Axis_communications 2401+_video_server 3.12.0
Axis_communications 2411_video_server 3.12.0
Axis_communications 2411_video_server 3.12.0

HTTP:CGI:AXIS-ACCOUNT - HTTP: Axis Video Server Remote Account Addition

Severity: CRITICAL

Description:

This signature detects a request to an Axis Video Server containing parameters designed to create an Administrator account on the server.

Supported On:

References:

url: http://www.axis.com/products/camera_servers/index.htm
url: http://www.securityfocus.com/archive/1/372630
bugtraq: 11011
url: http://www.securityfocus.com/archive/1/372643

Affected Products:

Axis_communications 2420_network_camera 2.33.0
Axis_communications 2400_video_server 2.0.0
Axis_communications 2400_video_server 1.12.0
Axis_communications 2100_network_camera 2.33.0
Axis_communications network_dvr 2460
Axis_communications serial_server 2490
Axis_communications mpeg-2_video_server 250S
Axis_communications 2401_video_server 1.0.0 1
Axis_communications 2401_video_server 1.15.0
Axis_communications 2401_video_server 2.20.0
Axis_communications 2401_video_server 2.31.0
Axis_communications 2401_video_server 2.32.0
Axis_communications 2401_video_server 2.33.0
Axis_communications 2420_network_camera 2.12.0
Axis_communications 2420_network_camera 2.31.0
Axis_communications 2420_network_camera 2.32.0
Axis_communications 2400_video_server 1.15.0
Axis_communications 2400_video_server 1.11.0
Axis_communications 2400_video_server 1.10.0
Axis_communications 2400_video_server 1.0.0 2
Axis_communications 2400_video_server 1.0.0 1
Axis_communications 2400_video_server 2.20.0
Axis_communications 2400_video_server 2.31.0
Axis_communications 2400_video_server 2.32.0
Axis_communications 2400_video_server 2.33.0
Axis_communications 2100_network_camera 2.12.0
Axis_communications 2100_network_camera 2.32.0
Axis_communications 2100_network_camera 2.31.0
Axis_communications 2100_network_camera 2.30.0
Axis_communications 2130_ptz_network_camera 2.32.0
Axis_communications 2110_network_camera 2.32.0
Axis_communications 2110_network_camera 2.34.0
Axis_communications 2120_network_camera 2.34.0
Axis_communications 2120_network_camera 2.32.0
Axis_communications 2100_network_camera 2.34.0
Axis_communications 2400_video_server 2.34.0
Axis_communications 2401_video_server 2.34.0
Axis_communications 2420_video_server 2.32.0
Axis_communications 2420_video_server 2.34.0
Axis_communications 2130_ptz_network_camera 2.34.0
Axis_communications 2460_network_dvr 3.10.0
Axis_communications 250s_video_server 3.0.0 3
Axis_communications 2420_network_camera 2.34.0
Axis_communications 2110_network_camera 2.31.0
Axis_communications 2110_network_camera 2.30.0
Axis_communications 2120_network_camera 2.30.0
Axis_communications 2120_network_camera 2.31.0
Axis_communications 2130_ptz_network_camera 2.31.0
Axis_communications 2130_ptz_network_camera 2.30.0
Axis_communications 2400_video_server 2.30.0
Axis_communications 2401_video_server 2.30.0
Axis_communications 2420_network_camera 2.30.0
Axis_communications 2100_network_camera 2.40.0
Axis_communications 2110_network_camera 2.40.0
Axis_communications 2110_network_camera 2.12.0
Axis_communications 2120_network_camera 2.12.0
Axis_communications 2120_network_camera 2.40.0
Axis_communications 2130_ptz_network_camera 2.40.0
Axis_communications 2420_network_camera 2.40.0
Axis_communications storpoint CD
Axis_communications 2400+_video_server 3.11.0
Axis_communications 2400+_video_server 3.12.0
Axis_communications 2401+_video_server 3.13.0
Axis_communications 2411_video_server 3.13.0
Axis_communications 250s_mpeg-2_video_server 3.10.0
Axis_communications 230_mpeg-2_video_server 3.11.0
Axis_communications 2460_network_dvr 3.11.0
Axis_communications 2490_serial_server 2.11.3
Axis_communications 2100_network_camera 2.41.0
Axis_communications 2110_network_camera 2.41.0
Axis_communications 2120_network_camera 2.41.0
Axis_communications 2420_network_camera 2.41.0
Axis_communications 2400+_blade_video_server 3.12.0
Axis_communications 2401+_video_server 3.12.0
Axis_communications 2401+_blade_video_server 3.12.0
Axis_communications 2401+_video_server 3.12.0
Axis_communications 2411_video_server 3.12.0
Axis_communications 2411_video_server 3.12.0

HTTP:MISC:WAPP-PARAM-SEC3 - HTTP: Multiple Web Application Parameter Tampering 3

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against multiple web applications. A successful attack can lead to disclosure of sensitive information.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

TROJAN:MS-04-028:BACKDOOR-LOGIN - TROJAN: MS04-028-Vector Backdoor FTP Login

Severity: CRITICAL

Description:

This signature detects login attempts from a client infected with a Trojan installed as part of the Microsoft GDI+ Library JPEG overflow exploit. A successful attack can exploit this overflow to create a denial-of-service (DoS) condition or execute arbitrary code with user privileges.

Supported On:

References:

url: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx
bugtraq: 11173
cve: CVE-2004-0200

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Microsoft visual_foxpro 8.0
Microsoft visual_foxpro_runtime_library 8.0
Microsoft windows_messenger 5.0
Avaya s8100_media_servers
Avaya definityone_media_servers
Avaya ip600_media_servers
Microsoft excel_2002 SP1
Microsoft frontpage_2002 SP1
Microsoft .net_framework_sdk 1.0
Avaya s3400_message_application_server
Microsoft powerpoint_2002 SP1
Business_objects crystal_enterprise 9.0.0
Microsoft word_2002
Microsoft word_2002 SP2
Microsoft frontpage_2002
Microsoft excel_2002 SP2
Microsoft visual_studio_.net_2003
Microsoft internet_explorer 6.0 SP1
Microsoft windows_xp_64-bit_edition_version_2003
Microsoft word_2002 SP1
Microsoft windows_xp_64-bit_edition
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft frontpage_2003
Microsoft publisher_2003
Microsoft powerpoint_2003
Microsoft infopath_2003
Microsoft onenote_2003
Microsoft project_2002 SP1
Microsoft visio_2002 SP2
Microsoft picture_it!_library
Microsoft .net_framework_sdk 1.0 SP1
Microsoft .net_framework_sdk 1.0 SP2
Microsoft visio_2002 SP1
Microsoft .net_framework 1.0 SP2
Microsoft office_2003
Microsoft excel_2003
Microsoft visual_c++_.net_standard_2003
Business_objects crystal_reports 10.0.0
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft word_2002 SP3
Microsoft excel_2002 SP3
Microsoft powerpoint_2002 SP3
Microsoft frontpage_2002 SP3
Microsoft publisher_2002 SP3
Microsoft visio_2002_professional SP2
Microsoft visio_2002_standard SP2
Microsoft visio_2003_standard
Microsoft visio_2003_professional
Microsoft outlook_2003
Microsoft office_xp SP2
Microsoft greetings_2002
Microsoft powerpoint_2002 SP2
Microsoft windows_xp_64-bit_edition SP1
Microsoft digital_image_pro 7.0
Microsoft outlook_2002 SP2
Microsoft office_xp SP1
Microsoft outlook_2002 SP1
Microsoft word_2003
Microsoft excel_2002
Microsoft powerpoint_2002
Business_objects crystal_reports 9.0.0
Business_objects crystal_enterprise 10.0.0
Microsoft visual_c#_.net_standard_2003
Microsoft project_2003
Microsoft visio_2002
Microsoft visio_2003
Microsoft visual_basic_.net_standard_2002
Microsoft visual_c#_.net_standard_2002
Microsoft visual_c++_.net_standard_2002
Microsoft visual_basic_.net_standard_2003
Microsoft visual_j#_.net_standard_2003
Microsoft visual_studio_.net_2002
Microsoft picture_it!_2002
Microsoft picture_it! 7.0
Microsoft project_2002
Microsoft picture_it! 9.0
Microsoft digital_image_pro 9.0
Microsoft digital_image_suite 9.0
Microsoft producer_for_microsoft_office_powerpoint
Microsoft platform_sdk_redistributable:_gdi+
Microsoft msn_messenger_service 9.0
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft office_xp SP3
Microsoft outlook_2002 SP3
Microsoft publisher_2002
Microsoft .net_framework 1.1
Microsoft windows_server_2003_standard_edition
Microsoft office_xp
Microsoft outlook_2002

HTTP:STC:DL:COOLPDF-READER-BO - HTTP: CoolPDF Reader Image Stream Processing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the CoolPDF Reader. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the application.

Supported On:

References:

cve: CVE-2012-4914
bugtraq: 57461
url: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70
url: https://www.exploit-db.com/exploits/37760/

Affected Products:

Coolpdf coolpdf 3.0.2.256

SMTP:OUTLOOK:VEVENT-MEMCORRUPT - SMTP: Microsoft Outlook iCal Meeting Request VEVENT Record Memory Corruption

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Outlook. By attaching a maliciously crafted attachment to an e-mail, an attacker can cause arbitrary code execution on the client.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, isg-3.5.141818, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, isg-3.4.0

References:

bugtraq: 21931
cve: CVE-2007-0033

Affected Products:

Microsoft outlook_2000 SP3
Microsoft outlook_2002 SP2
Microsoft office_xp
Microsoft outlook_2000
Microsoft office_xp SP3
Microsoft outlook_2002
Microsoft office_2003 SP1
Microsoft office_2000 SP1
Microsoft office_2000 SP2
Microsoft outlook_2002 SP3
Microsoft office_xp SP1
Microsoft office_2003 SP2
Microsoft outlook_2000 SP2
Microsoft outlook_2003 SP2
Microsoft outlook_2003
Microsoft outlook_2000 SR1
Microsoft outlook_2002 SP1
Microsoft office_2000 SP3
Microsoft office_xp SP2
Microsoft office_2000
Microsoft office_2003

HTTP:STC:DL:APPLE-DMG-VOLNAME - HTTP: Apple Computer Finder DMG Volume Name Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a vulnerability in the Apple Computer Mac OSX Finder application. By supplying a specially crafted DMG file, an attacker can cause arbitrary code to be executed on the victim host.

Supported On:

References:

url: http://projects.info-pull.com/moab/MOAB-09-01-2007.html
bugtraq: 21980
cve: CVE-2007-0197

Affected Products:

Apple mac_os_x 10.4.8
Apple mac_os_x_server 10.4.8

HTTP:PKG:NAI-PGP-ADMIN-ACCESS-1 - HTTP: NAI PGP Keyserver Web Admin Access (1)

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against PGP Keyserver. Attackers can perform administrative tasks without server authentication.

Supported On:

References:

bugtraq: 3375
cve: CVE-2001-1252

Affected Products:

Network_associates pgp_keyserver 7.0.1
Network_associates pgp_keyserver 7.0.0

HTTP:APACHE:MODPHP-UPLOAD-HOF - HTTP: Apache mod_php php_mime_split Heap Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against mod_php in Apache. Attackers can send a maliciously crafted HTTP POST request to execute arbitrary code on the affected server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 4183
url: http://www.juniper.net/security/auto/vulnerabilities/vuln1085.html
cve: CVE-2002-0081

Affected Products:

Php php 4.0.7 RC3
Php php 4.0.3 Pl1
Php php 4.0.1 Pl1
Php php 3.0.17
Php php 3.0.18
Php php 3.0.4
Php php 4.1.1
Php php 3.0.0 0
Php php 4.0.0 0
Kasenna mediabase 4.0.1
Php php 3.0.16
Php php 4.0.1
Php php 4.0.1 Pl2
Php php 3.0.1
Php php 3.0.2
Php php 3.0.3
Php php 4.0.4
Php php 3.0.5
Php php 3.0.6
Php php 3.0.7
Php php 3.0.8
Php php 3.0.9
Php php 3.0.10
Php php 3.0.11
Php php 3.0.12
Php php 3.0.13
Php php 4.1.0 .0
Php php 3.0.0 .12
Php php 4.0.5
Php php 4.0.6
Php php 4.0.7
Php php 4.0.2
Php php 3.0.0 .10
Php php 3.0.0 .11
Php php 4.0.3
Php php 3.0.0 .13
Php php 3.0.14
Php php 3.0.15
Php php 3.0.0 .16
Php php 4.0.7 RC2
Php php 4.0.7 RC1

HTTP:STC:DL:WIN-GDI-METAFILE - HTTP: Microsoft Windows GDI Metafile Image Handling Heap Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Windows GDI Metafile Handler. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 28571
bugtraq: 28570
cve: CVE-2008-1083
cve: CVE-2008-1087

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_vista_enterprise_64-bit_edition
Hp storage_management_appliance 2.1
Research_in_motion blackberry_professional_software 4.1.4
Microsoft windows_vista SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_vista
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_web_edition SP1
Research_in_motion blackberry_enterprise_server 4.0.3
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_vista_home_premium_64-bit_edition
Nortel_networks callpilot 703T
Nortel_networks callpilot 702T
Nortel_networks callpilot 201I
Nortel_networks callpilot 200I
Research_in_motion blackberry_enterprise_server 4.1.6
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Microsoft windows_server_2008_datacenter_edition
Microsoft windows_server_2008_enterprise_edition
Microsoft windows_server_2008_standard_edition
Microsoft windows_vista Business SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Nortel_networks callpilot 1002Rp
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_server_2003_x64 SP2
Microsoft windows_vista_enterprise_64-bit_edition SP1
Research_in_motion blackberry_unite! 1.0
Research_in_motion blackberry_enterprise_server 4.1.3
Research_in_motion blackberry_enterprise_server 4.1.4
Research_in_motion blackberry_enterprise_server 4.1.5
Microsoft windows_xp_professional_x64_edition SP2
Research_in_motion blackberry_enterprise_server 4.0 SP3
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista Home Basic SP1
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Research_in_motion blackberry_unite! 1.0.1
Microsoft windows_vista Ultimate
Research_in_motion blackberry_unite! 1.0.1 Bundle 36
Microsoft windows_server_2003_enterprise_edition_itanium SP1

SCAN:CORE:IIS-ASP-CHUNKED - SCAN: Core Impact IIS ASP Chunked Exploit

Severity: INFO

Description:

This signature detects the CORE Impact penetration testing tool using the IIS ASP Chunked Encoding exploit against your network (this exploit is also detected by the HTTP:REQERR:REQ-MALFORMED-URL anomaly). Because CORE Impact can chain one infected computer to another, other machines in the network can already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, triggering this signature can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.

Supported On:

References:

bugtraq: 4485
cve: CVE-2002-0079

Affected Products:

Cisco unity_server 2.0.0
Cisco unity_server 2.1.0
Cisco unity_server 2.2.0
Cisco unity_server 2.3.0
Cisco unity_server 2.4.0
Cisco call_manager 3.2.0
Cisco building_broadband_service_manager_(bbsm) 5.1.0
Cisco building_broadband_service_manager_(bbsm) 4.5.0
Cisco building_broadband_service_manager_(bbsm) 4.4.0
Cisco building_broadband_service_manager_(bbsm) 4.3.0
Cisco building_broadband_service_manager_(bbsm) 4.2.0
Cisco building_broadband_service_manager_(bbsm) 4.0.1
Cisco building_broadband_service_manager_(bbsm) 5.0.0
Cisco call_manager 3.1.0
Microsoft iis 4.0
Microsoft iis 5.0
Cisco call_manager 3.0.0

HTTP:IIS:IIS-HTR-CHUNKED - HTTP: IIS HTR/ASP Chunked Encoding Vulnerability

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against the chunked encoding transfer mechanism in Microsoft IIS 4.0 and 5.0. Attackers can send a maliciously crafted HTTP request for an ASP or HTR page to execute arbitrary commands with system privileges.

Supported On:

DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 4855
cve: CVE-2002-0364
cve: CVE-2008-0075

Affected Products:

Microsoft windows_2000_datacenter_server
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_nt_server 4.0
Microsoft windows_nt_enterprise_server 4.0
Microsoft windows_2000_professional
Microsoft windows_2000_terminal_services
Microsoft windows_2000_server SP1
Microsoft windows_2000_professional SP1
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_server SP2
Microsoft windows_2000_server
Microsoft windows_2000_advanced_server
Microsoft windows_nt_enterprise_server 4.0 SP1
Microsoft windows_2000_terminal_services SP1
Microsoft windows_2000_terminal_services SP2
Microsoft windows_nt_enterprise_server 4.0 SP2
Microsoft windows_nt_terminal_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP4
Microsoft windows_nt_enterprise_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP5
Microsoft windows_nt_enterprise_server 4.0 SP6
Microsoft windows_nt_enterprise_server 4.0 SP6a
Microsoft windows_nt_server 4.0 SP1
Microsoft windows_nt_server 4.0 SP2
Microsoft windows_nt_server 4.0 SP3
Microsoft windows_nt_server 4.0 SP4
Microsoft windows_nt_server 4.0 SP5
Microsoft windows_nt_server 4.0 SP6
Microsoft windows_nt_server 4.0 SP6a
Microsoft windows_nt_terminal_server 4.0 SP1
Microsoft windows_nt_terminal_server 4.0 SP2
Microsoft windows_nt_terminal_server 4.0 SP4
Microsoft windows_2000_professional SP2
Microsoft windows_nt_terminal_server 4.0 SP6
Microsoft windows_nt_workstation 4.0 SP1
Microsoft windows_nt_workstation 4.0 SP2
Microsoft windows_nt_workstation 4.0 SP3
Microsoft windows_nt_workstation 4.0 SP4
Microsoft windows_nt_workstation 4.0 SP5
Microsoft windows_nt_workstation 4.0 SP6
Microsoft windows_nt_workstation 4.0 SP6a
Microsoft windows_nt_workstation 4.0
Microsoft windows_nt_terminal_server 4.0
Microsoft iis 4.0
Microsoft iis 5.0
Microsoft windows_nt_terminal_server 4.0 SP5

SSL:VULN:CVE-2015-0208-DOS - SSL: OpenSSL Invalid PSS Parameters Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against OpenSSL while performing signature algorithm extension communication. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1

References:

url: https://www.openssl.org/news/secadv_20150319.txt
cve: CVE-2015-0208

Affected Products:

Openssl openssl 1.0.2

HTTP:XSS:MAILMAN-ADMIN - HTTP: Mailman Admin Interface Cross-Site Scripting

Severity: LOW

Description:

This signature detects attempts to exploit a cross-site scripting vulnerability in the Mailman administrative Web interface.

Supported On:

References:

url: http://www.mandriva.com/security/advisories/?name=MDKSA-2004:013
url: http://www.debian.org/security/2004/dsa-436
bugtraq: 9336
cve: CVE-2003-0965

Affected Products:

Gnu mailman 2.1.0
Gnu mailman 2.0.12
Gnu mailman 2.0.13
Gnu mailman 2.0.11
Gnu mailman 2.0.0 .8
Gnu mailman 2.0.0 .7
Gnu mailman 2.0.0 .6
Gnu mailman 2.0.0 .5
Gnu mailman 2.0.0 .3
Gnu mailman 2.0.0 .2
Gnu mailman 2.0.0 .1
Gnu mailman 2.1.3
Red_hat fedora Core1
Gnu mailman 2.0.0
Gnu mailman 2.0.1
Gnu mailman 2.0.2
Gnu mailman 2.0.3
Gnu mailman 2.0.4
Gnu mailman 2.0.6
Gnu mailman 2.0.5
Gnu mailman 2.1.10 B1
Gnu mailman 2.0.7
Gnu mailman 2.0.8
Gnu mailman 2.0.9
Gnu mailman 2.0.10
Gnu mailman 2.1.1

HTTP:XSS:MAILMAN-OPTIONS - HTTP: Mailman "options.py" Cross-Site Scripting

Severity: LOW

Description:

This signature detects attempts to exploit a cross-site scripting vulnerability in Mailman 2.1, a discussion list management application that uses Web pages. Attackers can include options.py in a maliciously crafted URI sent to Mailman scripts, enabling attackers to place scripts or HTML into discussion list Web pages.

Supported On:

References:

url: http://www.debian.org/security/2004/dsa-436
bugtraq: 6678
cve: CVE-2003-0038

Affected Products:

Gnu mailman 2.1.0

SMTP:MAL:LOTUS-APPLIX - SMTP: IBM Lotus Notes Applix Graphics Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in IBM Lotus Notes Applix. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

References:

bugtraq: 28454
cve: CVE-2007-5405

Affected Products:

Symantec mail_security_appliance 5.0.0
Ibm lotus_notes 6.0.3
Ibm lotus_notes 6.5.1
Ibm lotus_notes 6.0.2
Symantec mail_security_for_microsoft_exchange 5.0.0
Ibm lotus_notes 7.0.2
Symantec mail_security_for_smtp 5.0
Ibm lotus_notes 6.5.0
Ibm lotus_notes 6.0.4
Ibm lotus_notes 6.5.2
Ibm lotus_notes 7.0.3
Ibm lotus_notes 6.5.6 FP2
Ibm lotus_notes 6.0.0
Symantec mail_security_appliance 5.0.0.24
Autonomy keyview_export_sdk 7
Autonomy keyview_export_sdk 8
Autonomy keyview_export_sdk 9
Autonomy keyview_filter_sdk 9
Autonomy keyview_filter_sdk 8
Autonomy keyview_filter_sdk 7
Autonomy keyview_viewer_sdk 7
Autonomy keyview_viewer_sdk 8
Autonomy keyview_viewer_sdk 9
Autonomy keyview_viewer_sdk 10
Autonomy keyview_filter_sdk 10
Autonomy keyview_export_sdk 10
Ibm lotus_notes 6.5.5
Autonomy keyview_export_sdk 10.3.0
Autonomy keyview_filter_sdk 10.3.0
Autonomy keyview_viewer_sdk 10.3.0
Ibm lotus_notes 7.0
Activepdf docconverter 3.8.4.0
Ibm lotus_notes 6.5.3
Ibm lotus_notes 6.5.4
Ibm lotus_notes 6.0.5
Ibm lotus_notes 6.5.5 FP3
Ibm lotus_notes 6.5.6
Ibm lotus_notes 7.0.1
Ibm lotus_notes 8.0
Ibm lotus_notes 6.0.1
Ibm lotus_notes 6.5.5 FP2
Symantec mail_security_for_smtp 5.0.1
Symantec mail_security_for_domino 7.5
Ibm lotus_notes 7.0.2 FP1

SMB:EXPLOIT:LLS-NAME - SMB: License Logging Service Vulnerability

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the License Logging service. Attackers, sending a malformed network message, can gain complete control allowing them to remotely execute arbitrary code on the target system.

Supported On:

References:

url: http://www.microsoft.com/technet/security/Bulletin/MS05-010.mspx
url: http://www.kb.cert.org/vuls/id/130433
bugtraq: 12481
cve: CVE-2005-0050

Affected Products:

Microsoft windows_2000 (sp2)
Microsoft windows_2003_server r2
Microsoft windows_2000 (sp2:datacenter_server)
Microsoft windows_nt 4.0 (sp6)
Microsoft windows_2003_server 2000
Microsoft windows_2000 (:datacenter_server)
Microsoft windows_nt 4.0 (:server)
Microsoft windows_2003_server 2000 (:small_business_server)
Microsoft windows_nt 4.0 (sp1:server)
Microsoft windows_nt 4.0 (sp6a:terminal_server)
Microsoft windows_nt 4.0 (sp6:terminal_server)
Microsoft windows_2000 (sp4)
Microsoft windows_2003_server standard
Microsoft windows_2003_server 2003
Microsoft windows_nt 4.0 (:terminal_server)
Microsoft windows_nt 4.0 (sp1:terminal_server)
Microsoft windows_2000 (sp3:advanced_server)
Microsoft windows_2000 (sp1:server)
Microsoft windows_nt 4.0 (sp5:server)
Microsoft windows_2000 (sp2:server)
Microsoft windows_2003_server web
Microsoft windows_nt 4.0 (sp5)
Microsoft windows_nt 4.0 (sp4:enterprise_server)
Microsoft windows_nt 4.0 (:enterprise_server)
Microsoft windows_2000 (sp3)
Microsoft windows_nt 4.0 (sp1)
Microsoft windows_2003_server r2 (:64-bit)
Microsoft windows_nt 4.0 (sp3:server)
Microsoft windows_nt 4.0 (sp3:enterprise_server)
Microsoft windows_2000 (:advanced_server)
Microsoft windows_2003_server r2 (:datacenter_64-bit)
Microsoft windows_2003_server enterprise_64-bit
Microsoft windows_nt 4.0 (sp6a:server)
Microsoft windows_2003_server standard (:64-bit)
Microsoft windows_nt 4.0 (sp2:enterprise_server)
Microsoft windows_nt 4.0 (sp2)
Microsoft windows_2003_server enterprise (:64-bit)
Microsoft windows_2000 (sp3:datacenter_server)
Microsoft windows_nt 4.0 (sp2:terminal_server)
Microsoft windows_2000 (sp4:server)
Microsoft windows_nt 4.0 (sp6a)
Microsoft windows_2000 (sp3:server)
Microsoft windows_nt 4.0 (sp6:enterprise_server)
Microsoft windows_2003_server 2003 (:small_business_server)
Microsoft windows_2000 (sp4:advanced_server)
Microsoft windows_nt 4.0 (sp3)
Microsoft windows_nt 4.0 (sp6:server)
Microsoft windows_2000 (sp1)
Microsoft windows_nt 4.0 (sp3:terminal_server)
Microsoft windows_2000 (sp1:advanced_server)
Microsoft windows_2000 (sp4:datacenter_server)
Microsoft windows_nt 4.0 (sp5:enterprise_server)
Microsoft windows_nt 4.0 (sp6a:enterprise_server)
Microsoft windows_nt 4.0
Microsoft windows_nt 4.0 (sp4)
Microsoft windows_2000 (:server)
Microsoft windows_nt 4.0 (sp4:server)
Microsoft windows_nt 4.0 (sp5:terminal_server)
Microsoft windows_nt 4.0 (sp1:enterprise_server)
Microsoft windows_2003_server enterprise
Microsoft windows_nt 4.0 (sp4:terminal_server)
Microsoft windows_2000 (sp1:datacenter_server)
Microsoft windows_2000 (sp2:advanced_server)
Microsoft windows_nt 4.0 (sp2:server)

APP:HPOV:OVWEBSNMPSRV-OF - APP: HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulerability in HP OpenView Network Node Manager (NNM) ovwebsnmpsrv.exe. It is due to a boundary error when handling HTTP requests sent to the jovgraph.exe CGI application. A remote unauthenticated attacker can exploit this by sending a crafted HTTP request to a target server, potentially causing arbitrary code to be injected and executed in the security context of the Internet Guest account.

Supported On:

idp-5.1.110161014, DI-Client, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 40873
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
cve: CVE-2010-1964
bugtraq: 40638
bugtraq: 40637
cve: CVE-2010-1960
cve: CVE-2010-1961

Affected Products:

Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

SMB:MS-RAP-STACK-OV - SMB: Microsoft Remote Administration Protocol Stack Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Windows networking components. A successful attack can lead to stack based buffer overflow and arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, isg-3.4.140032, isg-3.4.139899, vsrx-12.1, idp-5.0.110121210, srx-branch-19.1, idp-5.0.110130325, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 54940
cve: CVE-2012-1853

Affected Products:

Microsoft windows_xp
Microsoft windows_xp_professional_x64_edition
Microsoft windows_xp_service_pack_3
Microsoft windows_xp_professional_x64_edition SP2

TROJAN:CAPFIRE4-CNC - TROJAN: Capfire4 Command and Control Traffic

Severity: HIGH

Description:

This signature detects the Command and Control traffic for the Capfire4 trojan. The source IP host is infected and should be removed from the network for analysis.

Supported On:

References:

url: http://www.nzinfosec.com/capfire4-malware-rat-software-and-cc-service-together-malware-as-a-service/

HTTP:CGI:CDOMAINFREE-RMT-EXEC - HTTP: CDomainFree Remote Execution

Severity: MEDIUM

Description:

This signature detects attempts to exploit a vulnerability in whois_raw.cgi, a part of CdomainFree. Attackers can remotely run executables existing on the Web server.

Supported On:

References:

bugtraq: 304
url: http://www.securityfocus.com/archive/1/14019
cve: CVE-1999-1063

Affected Products:

Cdomain cdomainfree 1.0.0
Cdomain cdomainfree 2.0.0
Cdomain cdomainfree 2.1.0
Cdomain cdomainfree 2.2.0
Cdomain cdomainfree 2.3.0
Cdomain cdomainfree 2.4.0

SMB:EXPLOIT:SMB1-CHAINING-MC - SMB: Samba SMB1 Packets Chaining Memory Corruption

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known memory corruption vulnerability in Samba. It is due to improper validation when chaining SMB1 packets. Remote attackers can exploit this by sending a crafted SMB message to a target SMB server. A successful attack can result in remote code execution with root privileges.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, idp-4.2.110100823, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, isg-3.4.140032, isg-3.4.139899, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, srx-branch-19.1, idp-5.0.110130325, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 40884
url: http://www.samba.org/samba/security/CVE-2010-2063.html
cve: CVE-2010-2063

Affected Products:

Apple mac_os_x 10.5.1
Apple mac_os_x_server 10.5
Apple mac_os_x_server 10.5.1
Avaya voice_portal 4.1
Avaya messaging_storage_server 5.1
Avaya messaging_storage_server 1.0
Avaya messaging_storage_server 2.0
Red_hat enterprise_linux 5.4.Z Server
Debian linux 5.0 Ia-32
Avaya messaging_storage_server
Avaya message_networking
Sun solaris 10 Sparc
Red_hat enterprise_linux_desktop 5 Client
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Ubuntu ubuntu_linux 6.06 LTS I386
Ubuntu ubuntu_linux 6.06 LTS Amd64
Rpath rpath_linux 2
Debian linux 5.0 Mips
Red_hat enterprise_linux_es 3
Slackware linux 10.2.0
Red_hat enterprise_linux_ws 3
Samba samba 3.0.23B
Xerox workcentre 5740
Xerox workcentre 5755
Xerox workcentre 5765
Xerox workcentre 5775
Samba samba 3.0.23A
Mandriva linux_mandrake 2009.1
Mandriva linux_mandrake 2009.1 X86 64
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Apple mac_os_x 10.5.2
Apple mac_os_x_server 10.5.2
Ubuntu ubuntu_linux 8.04 LTS Sparc
Red_hat desktop 3.0.0
Samba samba 3.2.4
Samba samba 3.0.25C
Apple mac_os_x 10.5.4
Apple mac_os_x_server 10.5.4
Suse novell_linux_pos 9
Avaya messaging_storage_server 5.2
Apple mac_os_x_server 10.5.0
Apple mac_os_x 10.5
Samba samba 3.0.26A
Samba samba 3.0.9
Apple mac_os_x 10.6
Apple mac_os_x_server 10.6
Samba samba 3.0.25 Pre1
Samba samba 3.0.3
Samba samba 3.0.4
Samba samba 3.0.5
Samba samba 3.0.23C
Samba samba 3.0.11
Samba samba 3.0.12
Samba samba 3.0.13
Hp hp-ux B.11.31
Samba samba 3.0.14A
Samba samba 3.0.20
Samba samba 3.0.20A
Slackware linux 13.0
Samba samba 3.0.21
Samba samba 3.0.21A
Slackware linux 10.1.0
Samba samba 3.0.21C
Samba samba 3.0.22
Samba samba 3.0.24
Samba samba 3.0.28A
Samba samba 3.0.29
Sun solaris 9 Sparc
Avaya voice_portal 5.0 SP2
Samba samba 3.0.30
Suse open-enterprise-server
Samba samba 3.0.25 Pre2
Samba samba 3.0.25 Rc3
Samba samba 3.0.20B
Hp hp-ux B.11.23
Mandriva corporate_server 4.0.0 X86 64
Avaya voice_portal 4.1 SP1
Avaya voice_portal 4.1 SP2
Avaya voice_portal 5.1
Avaya voice_portal 5.0
Mandriva enterprise_server 5 X86 64
Apple mac_os_x 10.5.3
Samba samba 3.0.21B
Debian linux 5.0 Ia-64
Suse suse_linux_enterprise_desktop 11
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Apple mac_os_x 10.6.3
Apple mac_os_x_server 10.6.3
Apple mac_os_x 10.5.5
Apple mac_os_x_server 10.5.5
Apple mac_os_x 10.6.2
Apple mac_os_x_server 10.6.2
Red_hat enterprise_linux_as 4.7.Z
Red_hat enterprise_linux_es 4.7.Z
Apple mac_os_x 10.5.8
Samba samba 3.0.10
Apple mac_os_x_server 10.5.8
Samba samba 3.2.2
Samba samba 3.2.3
Samba samba 3.2.1
Suse suse_linux_enterprise_sdk 10 SP3
Suse suse_linux_enterprise_desktop 10 SP3
Suse suse_linux_enterprise_server 10 SP3
Hp hp-ux B.11.23
Samba samba 3.2.0
Suse suse_linux_enterprise_server 11
Samba samba 3.0.4 -R1
Avaya messaging_storage_server 5.0
Samba samba 3.0.7
Samba samba 3.0.0 Alpha
Avaya message_networking 5.2
Samba samba 3.0.25 Rc1
Debian linux 5.0
Debian linux 5.0 Alpha
Avaya message_networking 3.1
Debian linux 5.0 Arm
Debian linux 5.0 Hppa
Slackware linux 12.1
Suse suse_linux_enterprise 11
Debian linux 5.0 M68k
Red_hat enterprise_linux_as 3
Sun solaris 10 X86
Debian linux 5.0 Powerpc
Debian linux 5.0 S/390
Debian linux 5.0 Sparc
Samba samba 3.0.0
Samba samba 3.0.1
Samba samba 3.0.2
Samba samba 3.0.2 A
Samba samba 3.0.8
Suse opensuse 11.0
Samba samba 3.0.25
Xerox workcentre 5790
Apple mac_os_x 10.5.0
Mandriva enterprise_server 5
Mandriva linux_mandrake 2009.0
Mandriva linux_mandrake 2009.0 X86 64
Ubuntu ubuntu_linux 9.04 I386
Ubuntu ubuntu_linux 9.04 Lpia
Ubuntu ubuntu_linux 9.04 Powerpc
Ubuntu ubuntu_linux 9.04 Sparc
Mandriva corporate_server 4.0
Apple mac_os_x 10.5.7
Apple mac_os_x_server 10.5.7
Red_hat enterprise_linux 5 Server
Slackware linux 12.0
Pardus linux_2009
Ubuntu ubuntu_linux 6.06 LTS Sparc
Ubuntu ubuntu_linux 8.04 LTS Lpia
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Apple mac_os_x 10.6.1
Samba samba 3.2.5
Slackware linux 13.0 X86 64
Samba samba 3.0.32
Samba samba 3.0.33
Samba samba 3.3.7
Samba samba 3.2.14
Samba samba 3.0.36
Samba samba 3.3.8
Samba samba 3.2.15
Samba samba 3.0.37
Samba samba 3.0.6
Gentoo linux
Avaya messaging_storage_server 4.0
Suse suse_linux_enterprise 10 SP3
Debian linux 5.0 Mipsel
Samba samba 3.0.14
Apple mac_os_x 10.5.6
Apple mac_os_x_server 10.5.6
Avaya voice_portal 5.0 SP1
Vmware esx_server 3.5
Suse suse_linux_enterprise_software_development_kit 11
Samba samba 3.0.35
Samba samba 3.0.34
Samba samba 3.3.5
Samba samba 3.2.12
Samba samba 3.2.13
Samba samba 3.3.6
Avaya messaging_storage_server MM3.0
Suse suse_linux_enterprise_server 9
Sun solaris 9 X86
Avaya voice_portal 3.0
Samba samba 3.0.27A
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Red_hat enterprise_linux Desktop Version 4
Samba samba 3.0.25A
Samba samba 3.0.25B
Avaya voice_portal 4.0
Samba samba 3.0.26
Samba samba 3.3.11
Samba samba 3.3.12
Apple mac_os_x_server 10.5.3
Hp hp-ux B.11.11
Avaya message_networking MN 3.1
Suse opensuse 11.1
Sun opensolaris Build Snv 111B
Apple mac_os_x 10.6.4
Apple mac_os_x_server 10.6.4
Hp cifs-server A.02.04.01
Hp cifs-server A.02.03.05
Ubuntu ubuntu_linux 9.04 Amd64
Debian linux 5.0 Armel
Red_hat enterprise_linux_as 4
Samba samba 3.0.28
Slackware linux 12.2
Red_hat enterprise_linux 5.3.Z Server
Samba samba 3.0.23D
Xerox workcentre 5765
Apple mac_os_x_server 10.6.1
Rpath appliance_platform_linux_service 2
Slackware linux 10.0.0
Hp hp-ux B.11.11
Slackware linux 11.0
Avaya messaging_storage_server 3.1
Samba samba 3.0.25 Rc2
Debian linux 5.0 Amd64
Xerox workcentre 5735
Samba samba 3.3.10
Xerox workcentre 5745
Xerox workcentre 5740
Xerox workcentre 5755
Avaya messaging_storage_server 3.1 SP1
Xerox workcentre 5775
Xerox workcentre 5790
Samba samba 3.0.27

HTTP:STC:DL:WORD-SECTION-OF - HTTP: Microsoft Word Section Table Array Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Word. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 22225
cve: CVE-2007-0515

Affected Products:

Microsoft word_2000
Microsoft word_2000 SP3
Microsoft word_2000 SR1
Microsoft word_2000 Sr1a
Microsoft word_2000 SP2
Microsoft office_2003 SP1
Microsoft office_2000 SP1
Microsoft office_2000 SP2
Microsoft office_2003 SP2
Microsoft office_2000 SP3

HTTP:STC:DL:OO-OLE - HTTP: OpenOffice OLE File Stream Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in OpenOffice. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

Affected Products:

Openoffice openoffice.org up to 2.3.1
Openoffice openoffice.org 2.0.3
Openoffice openoffice.org 2.3
Openoffice openoffice.org 2.2.1
Openoffice openoffice.org 2.2
Openoffice openoffice.org 2.1

HTTP:OWA:LOGIN-REDIR - HTTP: Outlook Web Access Login Redirection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Outlook Web Access that ships with Microsoft Exchange Server. Attackers can create a malicious link that, when accessed, can trick users into believing they are logging into their mail server, but instead their login information is being redirected to a Web site of the attacker's choice. Attackers can obtain user OWA login credentials, which are usually the same as NT Domain logins, enabling attackers to access the domain with the stolen user credentials.

Supported On:

References:

url: http://www.symantec.com/avcenter/attack_sigs/s21208.html
bugtraq: 12459
url: http://exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt
cve: CVE-2005-0420

Affected Products:

Microsoft exchange_server_2003 SP1
Microsoft exchange_server_2003

HTTP:STC:DL:MSPUBLISHER-OBJ - HTTP: Microsoft Publisher Object Handler Validation Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Publisher. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 29158
cve: CVE-2008-0119

Affected Products:

Microsoft publisher_2007 SP1
Microsoft publisher_2007
Microsoft publisher_2003 SP3
Microsoft publisher_2002 SP3
Microsoft publisher_2003 SP2
Microsoft publisher_2000 SP3

WORM:DISTTRACK-PROPAGATION - WORM: DistTrack Propagation Execution of Dropped File

Severity: HIGH

Description:

This signature detects DistTrack Worm activity as it attempts to propagate via SMB. Disttrack is a worm that spreads through network shares. It also drops malicious files and overwrites existing files.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

SPYWARE:AD:CASINOONNET - SPYWARE: CasinoOnNet

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware CasinoOnNet, an online gambling adware application. This spyware collects personal information such as name, address, telephone number, e-mail address, debit/credit card data, lifestyle and other information entered during adware registration or through adware surveys.

Supported On:

References:

SPYWARE:BH:ABOUTBLANK - SPYWARE: CoolWebSearch AboutBlank Variant

Severity: LOW

Description:

This signature detects the runtime behavior of the CWS.About:Blank spyware, a variant belonging to the CoolWebSearch (CWS) spyware group of browser-hijacking applications. This variant takes control of a user's Web browser settings and changes the homepage, search page, and other default pages to access Web sites controlled by the variant developer. For all changed URLs, the browser address bar displays About:Blank.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=599

APP:VMWARE-VCENTER-CHARGEBACK - APP: VMWare VCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Vmware vCenter Chargeback Manager. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 60484
cve: CVE-2013-3520

Affected Products:

Vmware vcenter_chargeback_manager 1.6.2
Vmware vcenter_chargeback_manager 2.0.1
Vmware vcenter_chargeback_manager 1.5.0
Vmware vcenter_chargeback_manager 2.0.0
Vmware vcenter_chargeback_manager up to 2.5.0
Vmware vcenter_chargeback_manager 1.6.0
Vmware vcenter_chargeback_manager 1.6.1

HTTP:STC:DL:XLS-MBOF - HTTP: Microsoft Excel Multiple Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Excel. A successful attack can lead to arbitrary code execution.

Supported On:

References:

cve: CVE-2010-3230
cve: CVE-2010-3232
cve: CVE-2010-3239
cve: CVE-2010-3240
cve: CVE-2010-3242
cve: CVE-2010-3237
bugtraq: 43655
bugtraq: 43654
bugtraq: 43652
bugtraq: 43646
bugtraq: 43647
bugtraq: 43643
bugtraq: 43657
cve: CVE-2010-3231

Affected Products:

Microsoft excel_2004_for_mac
Microsoft open_xml_file_format_converter_for_mac
Microsoft excel_2002 SP3
Microsoft excel_2008_for_mac
Microsoft excel_2002
Microsoft excel_2002 SP1
Microsoft excel_2002 SP2

HTTP:STC:DL:MS-DOC-STREAM-CE - HTTP: Microsoft Word Document Stream Handling Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Word. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 22567
cve: CVE-2007-0870

Affected Products:

Microsoft word_2000
Microsoft word_2000 SP3
Microsoft office_xp
Microsoft word_2000 SR1
Microsoft word_2000 Sr1a
Microsoft word_2000 SP2
Microsoft office_xp SP1
Microsoft word_2002 SP3
Avaya customer_interaction_express_(cie)_user_interface 1.0
Microsoft office_2000 SP1
Microsoft office_2000 SP2
Microsoft office_xp SP3
Microsoft word_2002
Microsoft word_2002 SP2
Microsoft office_2000 SP3
Microsoft office_xp SP2
Microsoft office_2000
Microsoft word_2002 SP1

SPYWARE:AD:BLOWSEARCH - SPYWARE: Blowsearch

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Blowsearch, an Internet Explorer Browser hijacker. This spyware is an IE toolbar that monitors user Web activity, then passes the information to its controlling server.

Supported On:

References:

HTTP:STC:DL:QT-UDTA-ATOM - HTTP: Apple QuickTime 'udta' Atom Parsing Heap Overflow Vulnerability

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apple Quicktime. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 22827
cve: CVE-2007-0714

Affected Products:

Apple quicktime_player 7.1.2
Apple quicktime_player 7.1
Apple quicktime_player 6.5.1
Apple quicktime_player 6
Apple quicktime_player 6.5.2
Apple quicktime_player 7.1.4
Apple quicktime_player 7.0.2
Apple quicktime_player 7.0.3
Apple quicktime_player 6.5.0
Apple quicktime_player 6.1.0
Apple quicktime_player 7.0.1
Apple quicktime_player 7.1.3
Apple quicktime_player 7.0.0
Apple quicktime_player 5.0.2
Apple quicktime_player 7.0.4
Apple quicktime_player 7.1.1

HTTP:PHP:PINEAPP-LIVELOG-RCE - HTTP: PineApp Mail-SeCure Livelog.html Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against PineApp Mail-SeCure. It is due to exposing of the livelog.html file of the administration web interface. A successful attack may lead to arbitrary code execution.

Supported On:

HTTP:INFO-LEAK:IIS-FILE-ACCESS - HTTP: Microsoft IIS Web server Unauthorized File Access

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft IIS Web server. A successful attack can lead to unauthorized file disclosure.

Supported On:

References:

url: http://www.iss.net/security_center/reference/vuln/servicecnf-detected.htm

APP:HP-SITESCOPE-CMD-INJ - APP: HP SiteScope runOMAgentCommand Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a command injection vulnerability in the HP SiteScope. It is due to insufficient validation of user-supplied input. A successful attack can lead to arbitrary code execution within the context of the affected application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_nac03861260-1
cve: CVE-2013-2367
bugtraq: 61506

Affected Products:

Vendor product VERSION

IMAP:OVERFLOW:MERCUR-NTLMSSP - IMAP: Atrium Software MERCUR IMAPD NTLMSSP Command Handling Memory Corruption

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the Atrium Software MERCUR IMAP Server. A successful attack can lead to a buffer overflow and arbitrary remote code execution.

Supported On:

References:

bugtraq: 23058
cve: CVE-2007-1578

Affected Products:

Atrium_software mercur_imapd 1 SP4

SPYWARE:AD:WHENU-CLOCKSYNC - SPYWARE: Whenu.clocksync

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Whenu.ClockSync, a program that synchronizes the time on the Windows clock. This spyware monitors user Web activity, displays pop-up advertisements without user consent, and installs malicious spyware on the user's system.

Supported On:

References:

HTTP:STC:DL:ZIP-FOR-MEDIA - HTTP: Compressed File Downloaded for Media File Requested

Severity: HIGH

Description:

This signature detects attempts to download a compressed (ZIP) file when a media file was requested. Some video players attempt to load the compressed file as a media file, which can result in arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 40428

Affected Products:

Videolan vlc_media_player 0.8.6I
Videolan vlc_media_player 1.0.0
Videolan vlc_media_player 1.0.5
Videolan vlc_media_player 0.9.7
Videolan vlc_media_player 0.9.5
Videolan vlc_media_player 0.9.6
Videolan vlc_media_player 1.0.6
Videolan vlc_media_player 0.5.0
Videolan vlc_media_player 0.8.6A
Videolan vlc_media_player 0.8.6B
Videolan vlc_media_player 1.0.3
Videolan vlc_media_player 0.6.8
Videolan vlc_media_player 1.0.1
Videolan vlc_media_player 0.8.6G
Videolan vlc_media_player 0.8.6
Videolan vlc_media_player 0.8.6H
Videolan vlc_media_player 0.8.6C
Videolan vlc_media_player 0.9.2
Videolan vlc_media_player 0.9.3
Videolan vlc_media_player 0.8.6E
Videolan vlc_media_player 0.9.9
Videolan vlc_media_player 0.9.0
Videolan vlc_media_player 0.9.1
Videolan vlc_media_player 0.9.4
Videolan vlc_media_player 0.9.8A
Videolan vlc_media_player 0.8.6F
Videolan vlc_media_player 0.8.6D
Videolan vlc_media_player 1.0.2

HTTP:OVERFLOW:MICROFOCUS-PST-OF - HTTP: Micro Focus GroupWise Post Office Agent Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Post Office Agent component of Micro Focus GroupWise. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the Server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2016-5762

Affected Products:

Novell groupwise 2014
Novell groupwise 2014_r2

SPYWARE:AD:IST-ISTBAR - SPYWARE: IST.ISTbar

Severity: MEDIUM

Description:

This signature detects the runtime behavior of the spyware IST.ISTbar (also known as xxxtoolbar), an Internet Explorer browser hijacker. This spyware monitors user Web activity, then sends the information to its controlling server. It also modifies user search queries and installs pop-up porn products.

Supported On:

References:

url: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516

SPYWARE:AD:MAPQUEST-TOOLBAR - SPYWARE: MapQuest Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware MapQuest Toolbar, an Internet Explorer browser hijacker. This spyware displays pop-up advertisements and installs bundled adwares.

Supported On:

References:

VOIP:SIP:DIGIUM-ASTERISK-DOS - VOIP: Digium Asterisk SIP Terminated Channel ACK with SDP Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Asterisk Open Source and Certified Asterisk. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 62021
cve: CVE-2013-5641

Affected Products:

Digium asterisk 1.8.19.1
Digium asterisk 11.1.2
Digium certified_asterisk 1.8.15 (rc1)
Digium asterisk 11.0.0 (beta2)
Digium asterisk 11.1.1
Digium asterisk 1.8.18.0 (rc1)
Digium asterisk 1.8.23.0 (rc1)
Digium asterisk 11.5.0 (rc2)
Digium certified_asterisk 1.8.15 (cert1-rc1)
Digium asterisk 1.8.17.0 (rc2)
Digium asterisk 1.8.23.0 (rc2)
Digium asterisk 11.4.0 (rc2)
Digium asterisk 11.5.0 (rc1)
Digium asterisk 11.4.0 (rc1)
Digium asterisk 11.3.0 (rc2)
Digium asterisk 1.8.17.0 (rc1)
Digium certified_asterisk 11.2.0 (rc2)
Digium certified_asterisk 1.8.15 (cert1-rc2)
Digium certified_asterisk 11.2.0 (rc1)
Digium asterisk 1.8.20.0 (rc2)
Digium asterisk 1.8.20.0 (rc1)
Digium asterisk 11.0.0 (rc2)
Digium asterisk 11.4.0 (rc3)
Digium certified_asterisk 1.8.15 (cert2)
Digium asterisk 1.8.22.0 (rc2)
Digium asterisk 1.8.22.0 (rc1)
Digium asterisk 1.8.17.0 (rc3)
Digium asterisk 1.8.18.1
Digium asterisk 11.3.0 (rc1)
Digium asterisk 1.8.19.0 (rc1)
Digium asterisk 11.0.0 (beta1)
Digium certified_asterisk 1.8.15 (cert1)
Digium asterisk 11.2.0 (rc1)
Digium asterisk 11.0.2
Digium certified_asterisk 11.2.0 (cert1)
Digium asterisk 11.1.0 (rc1)
Digium asterisk 11.5.1
Digium asterisk 1.8.19.0 (rc3)
Digium asterisk 11.1.0 (rc3)
Digium asterisk 11.0.0 (rc1)
Digium asterisk 1.8.21.0 (rc2)
Digium certified_asterisk 1.8.15 (cert1-rc3)
Digium asterisk 1.8.21.0 (rc1)
Digium asterisk 11.2.0 (rc2)
Digium asterisk 11.0.1

HTTP:STC:DL:ACDSEE-XPM-COLOR - HTTP: ACD Systems ACDSee Products XPM File Colors Parameter Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against ACD Systems ACDSee. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 23620
cve: CVE-2007-2193

Affected Products:

Acd_systems_inc acdsee_quick_view 9.0

SPYWARE:AD:CUSTOMTOOLBAR - SPYWARE: Custom Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of spyware CustomToolbar, an Internet Explorer toolbar created by customtoolbar.com. This spyware displays un-targeted pop-up advertisements as directed by its controlling server.

Supported On:

References:

DNS:TUNNEL:SHORT-TTL - DNS: Short Time To Live Response

Severity: MEDIUM

Description:

This signature detects DNS responses with very short Time To Live (TTL) values. This is not normal for DNS and is indicative of DNS tunneling. Dropping these packets will usually block the tunnel.

Supported On:

References:

url: http://dankaminsky.com/2004/07/29/51/
url: http://code.kryo.se/iodine/
url: http://hsc.fr/ressources/outils/dns2tcp/
cve: CVE-2014-3214

Affected Products:

Isc bind 9.10.0

SPYWARE:AD:SEARCHITBAR - SPYWARE: SearchitBar

Severity: LOW

Description:

This signature detects the runtime behavior of spyware SearchitBar, an adware application. This spyware adds a toolbar to Internet Explorer, then records user Web activity. It also downloads and executes programs from its controlling server.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=498

TROJAN:THE-RAT - Trojan: The Rat Update Protocol Request

Severity: HIGH

Description:

This signature detects a client infected with "The Rat" as it uses the Update Protocol to contact controllers for commands.

Supported On:

idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

url: http://labs.alienvault.com/labs/index.php/2012/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explorer-zeroday/

APP:HPOV:SNMPVIEWER-APP-OF - APP: HP OpenView NNM snmpviewer.exe App Parameter Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP OpenView Network Node Manager. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 40068
cve: CVE-2010-1552
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379

Affected Products:

Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

APP:HPOV:DEMANDPOLL-FMT-STR - APP: HP OpenView Network Node Manager ovet_demandpoll.exe Format String Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in HP OpenView Network Node Manager. It is due to a format string error in ovet_demandpoll.exe when processing the 'sel' variable sent in a crafted HTTP request. A remote unauthenticated attacker can exploit this by sending a crafted HTTP request to a target server, potentially causing arbitrary code to be injected and executed in the security context of the ovet_demandpoll.exe process.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 40065
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379
cve: CVE-2010-1550

Affected Products:

Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

SPYWARE:BH:ISTSLOTCHBAR - SPYWARE: IST-Slotchbar

Severity: MEDIUM

Description:

This signature detects the runtime behavior of spyware IST-Slotchbar. This spyware adds a toolbar to Internet Explorer and displays pop-up advertisements, some of which are porn related. When a user performs a search in the toolbar, it directs the search results to third party links. IST-Slotchbar also periodically connects to its controlling server to download self-updates, and to install other adware and spywares such as TargetSaver and InternetOptimizer.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=1038

SPYWARE:AD:WHENUWEATHERCAST - SPYWARE: WhenU-Weathercast

Severity: LOW

Description:

This signature detects the runtime behavior of spyware WhenU-WeatherCast. This spyware downloads and displays targeted advertisements based on the user zip code. It also installs WhenU.WhenUSearch, another spyware application.

Supported On:

References:

url: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634

HTTP:PHP:PHP-CAL-FILE-INC - HTTP: PHP-Calendar File Include Vulnerability

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against PHP-Calendar, a popular open-source calendar program. Attackers can send malformed requests and execute arbitrary PHP commands on the web server.

Supported On:

References:

url: http://www.gulftech.org/?node=research&article_id=00060-12292004
url: http://php-calendar.sourceforge.net/
bugtraq: 12127
url: http://www.securityspace.com/smysecure/catid.html?id=16071
cve: CVE-2004-1423

Affected Products:

Php-calendar php-calendar 0.10.0
Php-calendar php-calendar 0.9.1
Php-calendar php-calendar 0.9.0
Php-calendar php-calendar 0.8.0
Php-calendar php-calendar 0.7.0
Php-calendar php-calendar 0.6.0
Php-calendar php-calendar 0.5.0
Php-calendar php-calendar 0.4.0
Php-calendar php-calendar 0.3.0
Php-calendar php-calendar 0.2.0
Php-calendar php-calendar 0.1.0

SPYWARE:KL:CODENAMEALVIN - SPYWARE: Codename Alvin

Severity: MEDIUM

Description:

This signature detects the runtime behavior of spyware Codename Alvin, a keylogger. After infecting a host, this spyware enables attackers to capture screen images, monitor user Web activity, and log keystrokes made by the host user. It also downloads and installs code from its controlling server.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=1734

HTTP:YOUNGZSOFT-MAILCOM-BO - HTTP: Youngzsoft CMailServer CMailCOM ActiveX Control Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to use unsafe ActiveX controls in Youngzsoft CMailServer. An attacker can create a malicious Web site containing Web pages with dangerous ActiveX controls, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.

Supported On:

References:

bugtraq: 30098

Affected Products:

Youngzsoft cmailserver 5.4.6

HTTP:STC:DL:ASF-SR - HTTP: ASF Sample Rate Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Windows Media Runtime ASF parser. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

bugtraq: 36614
cve: CVE-2009-0555
bugtraq: 36644
cve: CVE-2009-2527

Affected Products:

Nortel_networks contact_center_ncc
Nortel_networks self-service_peri_workstation
Nortel_networks self-service_wvads
Nortel_networks self-service_mps_100
Nortel_networks self-service_mps_500
Nortel_networks self-service_mps_1000
Nortel_networks self-service_speech_server
Nortel_networks contact_center-tapi_server
Nortel_networks callpilot 703T
Nortel_networks contact_center_manager_server
Nortel_networks callpilot 1002Rp
Nortel_networks callpilot 200I
Nortel_networks callpilot 702T
Microsoft windows_media_player 10.0
Nortel_networks self-service_peri_application
Nortel_networks callpilot 201I
Nortel_networks contact_center_express
Nortel_networks contact_center_multimedia
Nortel_networks self-service_ccxml
Nortel_networks self_service_voicexml
Microsoft windows_media_player 11
Microsoft directshow_wma_voice_codec
Microsoft windows_media_audio_voice_decoder
Microsoft audio_compression_manager
Nortel_networks symposium_express_contact_center 4.2
Nortel_networks contact_center_administration
Nortel_networks self-service-ccss7

APP:SITEMINDER-AUTH-REDIR - APP: Netegrity Siteminder Authentication Redirection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Netegrity's Siteminder application. Attackers can send a maliciously formatted hyperlink designed to trick users into believing they are logging into their Siteminder server. Instead, the hyperlink redirects the user's authentication information to a server under the attacker's control, enabling the attacker to obtain the user's login information.

Supported On:

References:

HTTP:ROBOHELP-SQL-INJ - HTTP: Adobe RoboHelp Server SQL Injection Vulnerability

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe RoboHelp Server. A successful SQL injection attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 30137
cve: CVE-2008-2991

Affected Products:

Adobe robohelp_server 6
Adobe robohelp_server 7

CHAT:MSN:PIDGIN-MSN-IO - CHAT: Pidgin MSN MSNP2P Message Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Pidgin MSN MSNP2P. A successful attack can lead to a integer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

bugtraq: 29956
cve: CVE-2008-2927

Affected Products:

Pidgin pidgin 2.0.0
Adium adium 1.3
Adium adium 1.2.7
Adium adium 1.2.6
Adium adium 1.2.5
Red_hat enterprise_linux_desktop 5 Client
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Red_hat enterprise_linux_optional_productivity_application 5 Server
Ubuntu ubuntu_linux 6.06 LTS Amd64
Red_hat desktop 4.0.0
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Ubuntu ubuntu_linux 8.04 LTS Lpia
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Ubuntu ubuntu_linux 8.04 LTS Sparc
Red_hat desktop 3.0.0
Ubuntu ubuntu_linux 7.10 Lpia
Rob_flynn gaim 0.59.8
Pidgin pidgin 2.2.1
Pidgin pidgin 2.2.0
Pidgin pidgin 2.1.0
Rob_flynn gaim 0.82.1
Rob_flynn gaim 1.0.0
Rob_flynn gaim 1.0.1
Rob_flynn gaim 1.0.2
Ubuntu ubuntu_linux 6.06 LTS I386
Rob_flynn gaim 0.59.0
Rob_flynn gaim 0.51.0
Rob_flynn gaim 0.55.0
Rob_flynn gaim 0.54.0
Rob_flynn gaim 0.53.0
Rob_flynn gaim 0.52.0
Rob_flynn gaim 1.3.1
Rob_flynn gaim 0.58.0
Rob_flynn gaim 0.57.0
Rob_flynn gaim 0.56.0
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Ubuntu ubuntu_linux 7.10 I386
Ubuntu ubuntu_linux 7.10 Powerpc
Ubuntu ubuntu_linux 7.10 Sparc
Rob_flynn gaim 1.2.0
Mandriva linux_mandrake 2008.1
Mandriva linux_mandrake 2008.1 X86 64
Pardus linux_2007
Pardus linux_2008
Rob_flynn gaim 0.78.0
Rob_flynn gaim 0.75.0
Debian linux 4.0 S/390
Rob_flynn gaim 1.2.1
Rob_flynn gaim 0.73.0
Red_hat enterprise_linux_as 3
Red_hat enterprise_linux_es 3
Rob_flynn gaim 0.72.0
Rob_flynn gaim 1.1.4
Rpath rpath_linux 1
Red_hat enterprise_linux_desktop_workstation 5 Client
Pidgin pidgin 2.4.2
Rob_flynn gaim 0.60.0
Mandriva corporate_server 3.0.0
Rob_flynn gaim 0.10.0 X
Rob_flynn gaim 0.10.3
Rob_flynn gaim 0.82.0
Gentoo linux
Ubuntu ubuntu_linux 7.10 Amd64
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Debian linux 4.0 Powerpc
Rob_flynn gaim 0.74.0
Debian linux 4.0 Sparc
Debian linux 4.0
Rob_flynn gaim 0.71.0
Rob_flynn gaim 0.70.0
Rob_flynn gaim 0.69.0
Rob_flynn gaim 0.68.0
Rob_flynn gaim 0.67.0
Rob_flynn gaim 0.66.0
Rob_flynn gaim 0.65.0
Rob_flynn gaim 0.64.0
Rob_flynn gaim 0.63.0
Rob_flynn gaim 0.62.0
Rob_flynn gaim 0.61.0
Rob_flynn gaim 0.77.0
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Red_hat enterprise_linux Desktop Version 4
Rob_flynn gaim 0.59.1
Ubuntu ubuntu_linux 6.06 LTS Sparc
Mandriva corporate_server 3.0.0 X86 64
Rob_flynn gaim 1.1.3
Rob_flynn gaim 1.1.2
Rob_flynn gaim 1.1.1
Pidgin pidgin 2.4.1
Rob_flynn gaim 0.50.0
Rob_flynn gaim 1.3.0 .0
Pidgin pidgin 2.2.2
Pidgin pidgin 2.0.2

SPYWARE:AD:KEENVALUE - SPYWARE: KeenValue

Severity: LOW

Description:

This signature detects the runtime behavior of spyware KeenValue. This spyware tracks user Web activity and generates advertisements based on visited Web sites.

Supported On:

References:

url: http://2-spyware.com/remove-keenvalue.html

HTTP:XSS:MERCURY-BOARD - HTTP: MercuryBoard PM Tile Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against MercuryBoard, an online message board application. Attackers can craft a malicious script in the title field of a private message, which once viewed, can enable the attacker to steal authentication credentials from the affected host.

Supported On:

References:

bugtraq: 12872
cve: CVE-2005-0878

Affected Products:

Mercuryboard message_board 1.1.0
Mercuryboard message_board 1.1.1
Mercuryboard message_board 1.1.2
Mercuryboard message_board 1.0.2
Mercuryboard message_board 1.0.1
Mercuryboard message_board 1.0.0

HTTP:STC:DL:ISPVM-SYS-XCF-BOF - HTTP: ispVM System xcf File Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against ispVM System. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected application.

Supported On:

References:

bugtraq: 53562

Affected Products:

Lattice_semiconductor ispvm_system 18.0.2

HTTP:STC:IE:HFS-CVE-2014-6332 - HTTP: Possible EK HFS CVE-2014-6332 Attempt

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2014-6332

Affected Products:

Microsoft windows_server_2012 r2
Microsoft windows_7 -
Microsoft windows_server_2003
Microsoft windows_server_2012 -
Microsoft windows_server_2008 r2
Microsoft windows_8.1 -
Microsoft windows_8 -
Microsoft windows_vista -
Microsoft windows_rt -
Microsoft windows_rt_8.1 -
Microsoft windows_server_2008

SPYWARE:AD:BARGAINBUDDY - SPYWARE: BargainBuddy

Severity: LOW

Description:

This signature detects the runtime behavior of spyware BargainBuddy, an adware application that runs at Windows startup. This spyware uses browser helper objects to tracks user Web activity. It also downloads and displays pop-up advertisements.

Supported On:

References:

SPYWARE:BH:DAOSEARCH - SPYWARE: DaoSearch

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware DaoSearch, a browser hijacker. This spyware modifies browser settings and redirects search results to daosearch.com. It also downloads and installs updates from its controlling server.

Supported On:

References:

url: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132428

APP:ORACLE:BUSINESS-FLSHSVC-RCE - APP: Oracle Business Transaction Management Server FlashTunnelService Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Business Transaction Management Server. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 54870
url: http://www.securityfocus.com/archive/1/523800
bugtraq: 54839

Affected Products:

Oracle business_transaction_management_server 12.1.0.2.7

SPYWARE:AD:ZAPSPOT - SPYWARE: ZapSpot

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware ZapSpot, a game companion program. This spyware displays pop-up advertisements, tracks played games, and records viewed advertisements.

Supported On:

References:

SPYWARE:BH:COUPONBAR - SPYWARE: CouponBar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware CouponBar, an Internet Explorer browser hijacker. This spyware modifies browser settings and displays pop-up advertisements.

Supported On:

References:

HTTP:SQLINJ-VAR-PRODUCTS - HTTP: SQL Injection Detection

Severity: MEDIUM

Description:

This signature detects specific characters, typically used in SQL, within an HTTP connection. Because these characters are not normally used in HTTP, this can indicate a SQL or command injection attack.

Supported On:

References:

cve: CVE-2016-4350

Affected Products:

Solarwinds storage_resource_monitor 6.2.1

SPYWARE:BH:BLAZEFIND - SPYWARE: BlazeFind

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware BlazeFind, an Internet Explorer browser hijacker. This spyware displays pop-up advertisements and modifies the browser settings by changing the homepage to www.blazefind.com.

Supported On:

References:

SPYWARE:TROJAN:HATREDFIEND - SPYWARE: HatredFiend

Severity: HIGH

Description:

This signature detects the runtime behavior of the spyware Hatredfiend, a remote administration tool and Trojan program. This spyware enables attackers to completely control an infected host.

Supported On:

References:

SPYWARE:KL:007SPYSOFTWARE-SMTP - SPYWARE: 007 Spy Software (SMTP)

Severity: HIGH

Description:

This signature detects the runtime behavior of the spyware 007 Spy Software, a stealth monitoring program. This spyware secretly tracks user activity and automatically sends the activity logs to an attacker through e-mail or FTP.

Supported On:

References:

SPYWARE:KL:007SPYSOFTWARE-FTP - SPYWARE: 007 Spy Software (FTP)

Severity: HIGH

Description:

This signature detects the runtime behavior of the spyware 007 Spy Software, a stealth monitoring program. This spyware secretly tracks user activity, then automatically sends the activity logs to the attacker through e-mail or FTP.

Supported On:

References:

HTTP:STC:DL:PPT-VIEWER-MEMALLOC - HTTP: Microsoft PowerPoint Viewer Memory Allocation Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft PowerPoint Viewer. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 30552
cve: CVE-2008-0120

Affected Products:

Microsoft powerpoint_viewer_2003

SPYWARE:KL:NETTRACK-SPY - SPYWARE: Nettrack-Spy

Severity: MEDIUM

Description:

This signature detects the runtime behavior of the spyware Nettrack-spy, a commercial keylogger. This spyware enables attackers to secretly record and view user Web activity.

Supported On:

References:

SPYWARE:AD:SPYWARENUKER - SPYWARE: SpyWareNuker

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware SpyWareNuker. This spyware downloads and displays pop-up advertisements, and can track Web user activity. It can also silently upgrade itself periodically by contacting its root server.

Supported On:

References:

HTTP:STC:DL:WORD-CLSID - HTTP: Microsoft Word Dangerous Embedded ClassID

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Word. A successful attack can lead to memory corruption and possibly arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2010-3329
bugtraq: 43706

Affected Products:

Avaya messaging_application_server MM 3.1
Avaya messaging_application_server 4
Avaya aura_conferencing 6.0 Standard
Avaya messaging_application_server
Microsoft internet_explorer 7.0
Microsoft internet_explorer 7.0
Avaya aura_conferencing Standard
Microsoft internet_explorer 8
Avaya messaging_application_server 5
Avaya messaging_application_server MM 2.0
Avaya messaging_application_server MM 1.1
Avaya callpilot
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Avaya communication_server_1000_telephony_manager
Avaya messaging_application_server MM 3.0

HTTP:XSS:SUBRION-CMS - HTTP: Subrion CMS Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in the Subrion CMS. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

cve: CVE-2012-4771
bugtraq: 55502
cve: CVE-2011-5211
cve: CVE-2012-5452

Affected Products:

Intelliants subrion_cms 2.2.1
Intelliants subrion_cms up to 2.2.2
Intelliants subrion_cms 2.0.4
Intelliants subrion_cms 2.2.0

SPYWARE:BH:STUMBLEUPON - SPYWARE: StumbleUpon

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware StumbleUpon, an Internet Explorer browser hijacker. This spyware modifies browser settings and displays pop-up advertisements.

Supported On:

References:

HTTP:STC:DL:MS-PUBLISHER-MC - HTTP: Microsoft Office Publisher Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Publisher. A successful attack can lead to memory corruption and arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 26982
cve: CVE-2007-6534
bugtraq: 22724
cve: CVE-2011-3411
bugtraq: 50949
url: https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/
url: https://www.pentestpartners.com/blog/pwning-cctv-cameras/

Affected Products:

Microsoft publisher_2007
Microsoft publisher_2002
Microsoft publisher_99
Microsoft publisher_2003
Microsoft publisher_2002 SP3
Microsoft publisher_2000

SPYWARE:AD:HOTBOTDESKBAR - SPYWARE: HotBot Quick Search Deskbar

Severity: LOW

Description:

This signature detects the runtime behavior of HotBot Quick Search Deskbar. After installation, this spyware installs other adware applications on the host.

Supported On:

References:

HTTP:STC:DL:PPT-TXMASTERSTYLE - HTTP: Microsoft Powerpoint TxMasterStyle10Atom Processing Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Powerpoint. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 30579
cve: CVE-2008-1455

Affected Products:

Microsoft powerpoint_2007
Microsoft powerpoint_2000 SP3
Microsoft office_compatibility_pack_2007 SP1
Microsoft powerpoint_2007 SP1
Microsoft powerpoint_2002 SP3
Microsoft office_2004_for_mac
Microsoft powerpoint_2003 SP2
Microsoft powerpoint_2003 SP3
Microsoft office_compatibility_pack_2007

SPYWARE:AD:IZITOTOOLBAR - SPYWARE: iZito Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of iZito toolbar, a meta search engine. This spyware collects personal information and generates keyword-related advertising by prepending the phrase "sponsored by:" to some URLs of search results.

Supported On:

References:

url: http://www.izito.com

SPYWARE:BH:CNSMIN-3721 - SPYWARE: CnsMin-3721

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware CnsMin-3721, an Internet Explorer browser hijacker. This spyware replaces the IE search feature with a Chinese search site. It also downloads and installs code from its controlling server.

Supported On:

References:

SPYWARE:AD:EZULA-TOPTEXT - SPYWARE: EZula-TopText

Severity: LOW

Description:

This signature detects the runtime behavior of spyware eZula-Toptext. This spyware modifies browser behavior to highlight and add hyperlinks to the most frequently searched keywords. These links redirect users to advertiser's sites. It also downloads and installs updates from its controlling server.

Supported On:

References:

SPYWARE:AD:TRELLIANTOOLBAR - SPYWARE: TrellianToolbar

Severity: LOW

Description:

This signature detects the runtime behavior of Trellian Toolbar. Trellian Toolbar provides additional search functionality. It changes browser settings and collects information about user's online behavior.

Supported On:

References:

url: http://www.femail.com.au/toolbar.htm
url: http://www.trellian.net/toolbar/

SPYWARE:AD:ESYNDICATE - SPYWARE: eSyndicate

Severity: LOW

Description:

This signature detects the runtime behavior of spyware eSyndicate. ESyndicate is an adware application. Once installed, it generates unsolicited pop-up advertisements.

Supported On:

References:

SPYWARE:AD:ALTAVISTATOOLBAR - SPYWARE: AltaVistaToolbar

Severity: INFO

Description:

This signature detects the runtime behavior of spyware AltaVista Toolbar. AltaVista Toolbar collects user's personal information that includes IP address, cookie information, and surfing habits.

Supported On:

References:

url: http://www.altavista.com/about/privacy

SPYWARE:AD:STARWARETOOLBAR - SPYWARE: Starware Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Starware toolbar. Starware toolbar generates pop-up advertisements and reports user's browsing habits to its controlling server.

Supported On:

References:

APP:HP-PROCRVE-MANAGER-CE - APP: HP ProCurve Manager EJBInvokerServlet or JMXInvokerServlet Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP ProCurve Manager. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 62347
cve: CVE-2013-4810
cve: CVE-2013-2185

Affected Products:

Hp application_lifecycle_management -
Hp procurve_manager 4.0 (:~~~plus~~)
Hp procurve_manager 3.20 (:~~~plus~~)
Hp identity_driven_manager 4.0

SPYWARE:AD:MIDADDLE - SPYWARE: MidAddle

Severity: LOW

Description:

This signature detects the runtime behavior of MidAddle, an adware application. This spyware displays advertisements during Web page transitions and periodically updates itself.

Supported On:

References:

HTTP:SUN-GLASSFISH-AUTH-BP - HTTP: Sun Goldfish AUthentication Bypass

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Sun Goldfish. A successful exploit can lead to Authentication Bypass.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2011-0807

Affected Products:

Oracle glassfish_server 2.1.1
Oracle glassfish_server 3.0.1
Oracle glassfish_server 2.1
Sun java_system_application_server 9.1

HTTP:MISC:DLINK-INFOCGI-BO - HTTP: D-Link info.cgi POST Request Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in DLink device daemon. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of server.

Supported On:

References:

url: http://www.devttys0.com/2014/05/hacking-the-dspw215-again/'

HTTP:MISC:APSTRUTS-DEV-EXEC - HTTP: Apache Struts 2 Developer Mode OGNL Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apache Strusts 2. A successful attack can lead to arbitrary code execution.

Supported On:

References:

Affected Products:

Apache struts 2.0.3
Apache struts 2.0.11.1
Apache struts 2.0.2
Apache struts 2.0.11
Apache struts 2.0.11.2
Apache struts 2.1.0
Apache struts 2.0.10
Apache struts 2.1.1
Apache struts 2.0.13
Apache struts 2.1.2
Apache struts 2.0.12
Apache struts 2.1.3
Apache struts 2.1.4
Apache struts 2.1.5
Apache struts 2.1.6
Apache struts 2.0.9
Apache struts 2.0.8
Apache struts 2.1.8
Apache struts 2.1.8.1
Apache struts 2.2.1.1
Apache struts 2.0.5
Apache struts 2.0.4
Apache struts 2.2.3
Apache struts 2.0.7
Apache struts 2.0.6
Apache struts 2.2.1
Apache struts 2.0.1
Apache struts 2.0.14
Apache struts 2.0.0

SPYWARE:AD:GABESTMEDIAPLAYER - SPYWARE: Gabest Media Player Classic

Severity: LOW

Description:

This signature detects the runtime behavior of Gabest Media Player Classic, an adware application. This spyware displays pop-up advertisements and periodically updates itself.

Supported On:

References:

HTTP:MISC:ES-GROOVY-CODEEXEC - HTTP: ElasticSearch Search Groovy Sandbox Bypass

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against ElasticSearch. A successful attack can lead to arbitrary code execution.

Supported On:

References:

Affected Products:

Elasticsearch elasticsearch 1.4.0
Elasticsearch elasticsearch 1.4.1
Elasticsearch elasticsearch 1.4.2
Elasticsearch elasticsearch 1.3.7

HTTP:STC:DL:XLS-RTWINDOW - HTTP: Microsoft Excel rtWindow1 Record Handling Code Execution

Severity: HIGH

Description:

A memory corruption vulnerability exists in the way Microsoft Excel handles XLS files that contain invalid values within the rtWindow1 records. A remote attacker can exploit this vulnerability by persuading a target user to open a specially crafted XLS file, potentially causing arbitrary code to be injected and executed in the security context of the logged in user. An attack targeting this vulnerability can result in the injection and execution of code. If code execution is successful, the behaviour of the target will depend on the intention of the attacker. Any code injected will be executed within the security context of the currently logged in user. In the case of an unsuccessful code execution attack, Excel will terminate resulting in the loss of any unsaved data from the current session.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 22555
cve: CVE-2007-3029

Affected Products:

Microsoft excel_2003 SP1
Avaya customer_interaction_express_(cie)_user_interface 1.0.2
Microsoft excel_2002 SP3
Microsoft office_2004_for_mac
Microsoft excel_2002
Avaya customer_interaction_express_(cie)_user_interface 1.0
Microsoft excel_2003 SP3
Microsoft excel_2003 SP2
Microsoft excel_2002 SP1
Microsoft excel_2002 SP2
Microsoft excel_2003

HTTP:STC:DL:MS-WMF-PARSE - HTTP: Microsoft Windows Graphics Rendering Engine WMF Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Graphics Rendering Engine (GRE) component of Microsoft Windows. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

bugtraq: 31021
cve: CVE-2008-3014

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Microsoft office_compatibility_pack_2007 SP1
Microsoft internet_explorer 6.0 SP1
Nortel_networks media_processing_svr_100
Nortel_networks self-service_mps_100
Nortel_networks self-service_mps_500
Microsoft windows_server_2003_x64 SP2
Nortel_networks self-service_speech_server
Nortel_networks contact_center-tapi_server
Symantec backup_exec_for_windows_servers 11D
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-04
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-03
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-01
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-00
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-02
Hitachi jp1/veritas_backup_exec_12_(windows) 08-51
Hitachi jp1/veritas_backup_exec_12_(windows) 08-50
Hitachi jp1/veritas_backup_exec_12_(windows) 08-52
Nortel_networks self-service_ccxml
Nortel_networks self_service_voicexml
Microsoft office_2007 SP1
Microsoft windows_server_2008_datacenter_edition
Microsoft windows_server_2008_enterprise_edition
Microsoft windows_server_2008_standard_edition
Microsoft windows_vista Business SP1
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003_x64 SP1
Symantec backup_exec_for_windows_servers 12.0
Microsoft windows_vista_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Nortel_networks ensm-enterprise_nms 10.4
Nortel_networks ensm-enterprise_nms 10.5
Hp storage_management_appliance 2.1
Microsoft digital_image_suite 2006
Research_in_motion blackberry_unite! 1.0
Microsoft sql_server_2000_reporting_services SP2
Microsoft report_viewer_2005 SP1
Microsoft report_viewer_2008
Research_in_motion blackberry_enterprise_server 4.0.3
Microsoft groove_2007 SP1
Microsoft forefront_client_security 1.0
Microsoft sql_server_2005_x64_edition SP2
Microsoft sql_server_2005_itanium_edition SP2
Microsoft sql_server_2005_express_edition SP2
Microsoft sql_server_2005_express_edition_with_advanced_serv SP2
Microsoft sql_server_2005_x64_edition SP1
Microsoft sql_server_2005_itanium_edition SP1
Microsoft sql_server_2005_express_edition SP1
Microsoft sql_server_2005_express_edition_with_advanced_serv SP1
Microsoft sql_server_2005
Microsoft sql_server_2005_express_edition
Microsoft sql_server_2005_itanium_edition
Microsoft windows_xp_media_center_edition
Microsoft windows_server_2003_standard_x64_edition
Microsoft office_2003 SP3
Microsoft windows_vista_x64_edition SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_64-bit_edition
Microsoft windows_xp_home SP1
Microsoft office_2003 SP1
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft visio_2002 SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft office_2003
Microsoft project_2002 SP1
Microsoft word_viewer_2003
Microsoft visio_2002 SP2
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft visio_2002_professional SP2
Microsoft visio_2002_standard SP2
Microsoft sql_server_2005 SP2
Microsoft office_xp SP2
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft office_excel_viewer_2003
Microsoft windows_xp_64-bit_edition SP1
Nortel_networks contact_center_ncc
Microsoft project_2002
Microsoft office_xp SP1
Nortel_networks callpilot 703T
Nortel_networks callpilot 702T
Nortel_networks contact_center_administration
Microsoft windows_vista SP1
Hitachi jp1/veritas_backup_exec_11d_(windows) 08-05
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Microsoft windows_xp_gold
Nortel_networks media_processing_svr_1000_rel 3.0
Nortel_networks media_processing_svr_500_rel 3.0
Nortel_networks self-service-ccss7
Microsoft works 8.0
Microsoft visio_2002
Microsoft powerpoint_viewer_2003
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition SP2
Microsoft internet_explorer 6.0
Microsoft windows_vista Home Basic
Research_in_motion blackberry_professional_software 4.1.4
Research_in_motion blackberry_enterprise_server 4.1.6
Microsoft expression_web 2
Microsoft office_2003 SP2
Microsoft excel_viewer
Microsoft sql_server_2005 SP1
Microsoft word_viewer_2003 SP3
Microsoft office_excel_viewer_2003 SP3
Microsoft excel_viewer_2007
Microsoft powerpoint_viewer_2007
Microsoft powerpoint_viewer_2007 SP1
Nortel_networks self-service_peri_workstation
Nortel_networks contact_center_manager_server
Microsoft office_xp SP3
Nortel_networks self-service_wvads
Microsoft office_compatibility_pack_2007
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Nortel_networks callpilot 1002Rp
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_server_2003_standard_edition
Research_in_motion blackberry_enterprise_server 4.1.3
Microsoft office_xp
Nortel_networks contact_center_express
Microsoft windows_server_2003_enterprise_x64_edition
Nortel_networks self-service_mps_1000
Nortel_networks enterprise_network_management_system
Microsoft windows_xp_professional_x64_edition
Microsoft expression_web
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_vista
Microsoft office_2007
Microsoft groove_2007
Microsoft windows_server_2003_datacenter_x64_edition
Research_in_motion blackberry_enterprise_server 4.1.4
Research_in_motion blackberry_enterprise_server 4.1.5
Hp storage_management_appliance I
Hp storage_management_appliance II
Hp storage_management_appliance III
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_server_2008_for_itanium-based_systems
Research_in_motion blackberry_unite! 1.0.1
Research_in_motion blackberry_unite! 1.0.1 Bundle 36
Microsoft windows_xp

SPYWARE:KL:SPYOUTSIDE-SMTP - SPYWARE: Spyoutside (smtp)

Severity: HIGH

Description:

This signature detects the runtime behavior of the spyware Spyoutside, a keylogger. This spyware records user mouse events, Web browsing, system events, keystrokes, and screen captures, then sends that data to its controlling servers using e-mail or FTP.

Supported On:

References:

HTTP:PHP:PHPNUKE:BOOKMARK-SQL - HTTP: PhpNuke SQL Injection via Bookmark

Severity: MEDIUM

Description:

This signature detects an SQL injection attack against PHP Nuke. PHPNuke 5.0.2 and earlier version are vulnerable. Attackers can exploit the Bookmark module.

Supported On:

References:

cve: CVE-2005-0901

HTTP:XSS:PHPNUKE-BOOKMARKS - HTTP: PHP-Nuke Cross Site Script Attack via Bookmark

Severity: MEDIUM

Description:

This signature detects a cross site script attack against PHPNuke. PHPNuke 5.0.2 and earlier versions are vulnerable. Attackers can exploit the bookmark module.

Supported On:

References:

cve: CVE-2005-0902

HTTP:MISC:BEETEL-TC1-450-CSRF - HTTP: Beetel TC1-450 Wireless Router Cross Site Request Forgery

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Beetel TC1-450 Wireless Router. A successful attack can lead to cross-site request forgery attacks and unauthorized session hijack.

Supported On:

References:

url: http://www.beetel.in/node/10139

SPYWARE:RAT:THEEF-2.0-CGI - SPYWARE: Theef 2.0 CGI Notification

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware Theef 2.0, a remote administration tool. This spyware enables remote attackers to control an infected host.

Supported On:

References:

HTTP:CGI:SUPERMICRO-BOF - HTTP: Supermicro Onboard IPMI close_window.cgi Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Supermicro. A successful attack allows the attacker to execute arbitrary code within the context of the server.

Supported On:

References:

Affected Products:

Supermicro intelligent_platform_management_firmware up to 2.26 (-:~-~-~-~x9_generation_motherboards~)
Supermicro intelligent_platform_management_firmware 2.24 (-:~-~-~-~x9_generation_motherboards~)

SPYWARE:RAT:ROACH10-INITIALRESP - SPYWARE: Roach1-0 Initial Server Response

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware Roach1.0, a remote administration tool. This spyware enables remote attackers to control an infected host.

Supported On:

References:

SPYWARE:AD:EARTHLINKTOOLBAR - SPYWARE: Earthlink Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Earthlink Toolbar. This spyware records user system information at Internet Explorer startup, then sends the data to its controlling server. It also downloads updated links to display on its toolbar.

Supported On:

References:

SPYWARE:RAT:AIR - SPYWARE: Air

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware AIR, a Web-based remote administration tool. This spyware enables remote attackers to control an infected host.

Supported On:

References:

url: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794

TROJAN:OLDBAIT-CHOSTICK-CHECKIN - TROJAN: OLDBAIT And Chopstick Checkin

Severity: HIGH

Description:

This signature detects the Command and Control traffic for the OLDBAIT And Chopstick trojan. The source IP host is infected and should be removed from the network for analysis.

Supported On:

References:

url: https://www.fireeye.com/resources/pdfs/apt28.pdf

HTTP:PHP:PHPBB:DL-SQL-INJ - HTTP: phpBB Download Module SQL Injection

Severity: MEDIUM

Description:

This signature detects attacks against the download module of phpBB community web service.

Supported On:

References:

url: http://www.juniper.net/security/auto/vulnerabilities/vuln2666.html

HTTP:CISCO:NET-FILE-UPLOAD - HTTP: Cisco Prime Data Center Network Manager Arbitrary File Upload

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the Cisco Prime Data Center Network Manager. It is due to lack of authentication and insufficient input validation in the processImageSave.jsp when processing HTTP requests. A remote unauthenticated attacker can upload arbitrary files to arbitrary locations. In a successful attack scenario, the attacker can execute arbitrary code with SYSTEM privileges by placing executable files in critical locations.

Supported On:

References:

bugtraq: 62484
cve: CVE-2013-5486
url: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

Affected Products:

Cisco prime_data_center_network_manager 5.1(3u)
Cisco prime_data_center_network_manager 4.2(1)
Cisco prime_data_center_network_manager 5.0(3)
Cisco prime_data_center_network_manager 5.0(2)
Cisco prime_data_center_network_manager 4.2(3)
Cisco prime_data_center_network_manager 5.2(2c)
Cisco prime_data_center_network_manager 4.1(5)
Cisco prime_data_center_network_manager 4.1(2)
Cisco prime_data_center_network_manager 5.2(2b)
Cisco prime_data_center_network_manager 5.2(2e)
Cisco prime_data_center_network_manager 4.1(3)
Cisco prime_data_center_network_manager 5.1(1)
Cisco prime_data_center_network_manager 5.1(2)
Cisco prime_data_center_network_manager 4.1(4)
Cisco prime_data_center_network_manager 5.2(2)
Cisco prime_data_center_network_manager up to 6.1(1b)
Cisco prime_data_center_network_manager 6.1(1a)
Cisco prime_data_center_network_manager 5.2(2a)

SPYWARE:TROJAN:HELIOS-ICQNOTIFY - SPYWARE: HelioS3.1 ICQ Notification

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware HelioS3.1, a Trojan program. This spyware opens a configurable port on an infected host, then sends special commands through that port to enable remote attackers to control the host.

Supported On:

References:

HTTP:PHP:BZOPEN-OF - HTTP: PHP BZOPEN Function Overflow

Severity: INFO

Description:

This signature detects traffic that uses the BZOPEN function in PHP. PHP 5.0.3 and earlier versions are vulnerable. Attackers can use the common function BZOPEN to create a denial of service or execute remote code.

Supported On:

References:

url: http://www.php.net/ChangeLog-5.php#5.0.4

HTTP:PHP:GLOBALS-INJ - HTTP: PHP GLOBALS Variable Overwrite

Severity: MEDIUM

Description:

This signature detects attempts to misuse the PHP GLOBALS variable. PHP 5.0.3 and earlier versions are vulnerable. Attackers can overwrite the GLOBALS variable.

Supported On:

References:

url: http://www.php.net/ChangeLog-5.php#5.0.4
url: http://www.net-security.org/vuln.php?id=4116
bugtraq: 15250
cve: CVE-2005-3390

Affected Products:

Turbolinux turbolinux_workstation 8.0.0
Php php 4.0.3 Pl1
Turbolinux turbolinux_workstation 7.0.0
Avaya messaging_storage_server
Avaya message_networking
Php php 3.0.10
Php php 5.0.2
Php php 3.0.18
Php php 5.0.5
Hp system_management_homepage 2.0.0
Hp system_management_homepage 2.0.1
Hp system_management_homepage 2.0.2
Suse linux_personal 9.0.0 X86 64
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Suse open-enterprise-server 9.0.0
Red_hat fedora Core1
Red_hat desktop 3.0.0
Suse linux_personal 9.3.0 X86 64
Php php 4.3.0
Suse linux_professional 8.2.0
Php php 4.3.9
Php php 4.3.10
Suse linux_professional 10.0.0 OSS
Php php 3.0.1
Php php 3.0.2
Php php 3.0.3
Php php 3.0.4
Php php 3.0.5
Php php 3.0.6
Php php 3.0.7
Red_hat fedora Core2
Php php 3.0.9
Turbolinux turbolinux_server 8.0.0
Php php 3.0.11
Php php 3.0.12
Php php 3.0.13
Red_hat desktop 4.0.0
Suse suse_linux_enterprise_server 8
Suse linux_openexchange_server
Openpkg openpkg 2.5.0
Mandriva corporate_server 2.1.0
Mandriva linux_mandrake 10.2.0
Mandriva linux_mandrake 10.2.0 X86 64
Php php 4.2.0 .0
Red_hat enterprise_linux_ws 2.1 IA64
Red_hat enterprise_linux_as 2.1 IA64
Red_hat enterprise_linux_es 2.1 IA64
Php php 4.2.1
Red_hat fedora Core3
Suse linux_personal 9.1.0
Red_hat linux 7.3.0 I386
Php php 4.2.3
Red_hat linux 9.0.0 I386
Hp system_management_homepage 2.1.2
Openpkg openpkg 2.3.0
Suse linux_enterprise_server_for_s/390 9.0.0
Php php 4.3.4
Mandriva multi_network_firewall 2.0.0
Suse linux_professional 9.1.0
Turbolinux appliance_server_hosting_edition 1.0.0
Turbolinux appliance_server_workgroup_edition 1.0.0
Hp system_management_homepage 2.1.0
Php php 5.0.4
Php php 4.3.11
Php php 5.0.1
Php php 5.0.0 Candidate 2
Mandriva linux_mandrake 2006.0.0
Mandriva linux_mandrake 2006.0.0 X86 64
Mandriva linux_mandrake 10.1.0 X86 64
Suse linux_personal 8.2.0
Red_hat enterprise_linux_as 2.1
Red_hat enterprise_linux_es 2.1
Red_hat enterprise_linux_ws 2.1
E107 e107_website_system 0.7.5
Mandriva corporate_server 2.1.0 X86 64
Openpkg openpkg Current
Php php 4.0.7
Php php 4.0.2
Php php 4.2.0 -Dev
Php php 3.0.0 .10
Php php 3.0.0 .11
Php php 3.0.0 .12
Php php 3.0.0 .13
Php php 3.0.14
Php php 3.0.15
Php php 3.0.0 .16
Php php 4.0.7 RC2
Suse linux_desktop 1.0.0
Php php 4.0.7 RC3
Red_hat fedora Core4
Red_hat advanced_workstation_for_the_itanium_processor 2.1.0 IA64
Php php 3.0.17
Red_hat enterprise_linux_as 3
Red_hat enterprise_linux_es 3
Red_hat enterprise_linux_ws 3
Red_hat enterprise_linux_as 4
Php php 4.0.7 RC1
Suse linux_professional 9.2.0 X86 64
Openpkg openpkg 2.4.0
Php php 4.0.1 Pl1
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_retail_solution 8.0.0
Suse suse_linux_standard_server 8.0.0
Suse linux_professional 9.0.0
Suse linux_personal 9.2.0
Suse linux_professional 9.2.0
Suse linux_professional 9.3.0
Suse linux_professional 9.3.0 X86 64
Php php 4.3.1
Suse linux_professional 9.1.0 X86 64
Suse linux_professional 9.0.0 X86 64
Trustix secure_linux 2.2.0
Php php 4.1.1
Mandriva corporate_server 3.0.0
Php php 3.0.0 0
Php php 4.0.0 0
Php php 4.3.2
Trustix secure_enterprise_linux 2.0.0
Php php 4.3.5
Php php 4.3.7
Suse novell_linux_desktop 9.0.0
Hp system_management_homepage 2.1.3 .132
Red_hat stronghold 4.0.0
Php php 4.0.5
Php php 4.0.6
Gentoo linux
Trustix secure_linux 3.0.0
Ubuntu ubuntu_linux 5.0.0 4 Powerpc
Sgi propack 3.0.0 SP6
Ubuntu ubuntu_linux 5.0.0 4 Amd64
Php php 4.2.2
Turbolinux turbolinux_server 10.0.0
Turbolinux appliance_server 1.0.0 Hosting Edition
Turbolinux appliance_server 1.0.0 Workgroup Edition
Red_hat advanced_workstation_for_the_itanium_processor 2.1.0
Suse linux_personal 9.3.0
Mandriva linux_mandrake 10.1.0
Php php 5.0.0 Candidate 1
Suse suse_linux_enterprise_server 9
Ubuntu ubuntu_linux 5.10.0 Amd64
Ubuntu ubuntu_linux 5.10.0 I386
Ubuntu ubuntu_linux 5.10.0 Powerpc
Php php 5.0.0 Candidate 3
Php php 4.3.8
Php php 5.0.0 .0
Red_hat enterprise_linux_ws 4
Php php 4.3.3
Php php 4.3.6
Suse linux_personal 9.0.0
Php php 5.0.3
Suse linux_personal 9.2.0 X86 64
Suse linux_personal 9.1.0 X86 64
Suse linux_personal 10.0.0 OSS
Php php 3.0.16
Php php 4.0.1
Php php 4.0.1 Pl2
Php php 4.4.0 .0
Php php 4.0.4
Avaya intuity LX
Mandriva corporate_server 3.0.0 X86 64
Php php 4.1.0 .0
Php php 4.1.2
Red_hat enterprise_linux_es 4
Suse linux_professional 10.0.0
Php php 3.0.8
Php php 4.0.3
Hp system_management_homepage 2.1.1
Ubuntu ubuntu_linux 5.0.0 4 I386
Hp system_management_homepage 2.1.3
Hp system_management_homepage 2.1.4
Turbolinux turbolinux_server 7.0.0

VIRUS:POP3:SOBER-K - VIRUS: Sober.K in POP3 Traffic

Severity: LOW

Description:

This signature detects the Sober.K virus as a POP3 attachment. Sober.K, a mass-mailing virus, entices users to open an attachment that is an executable file disguised as a text document.

Supported On:

References:

HTTP:STC:DL:CRYSTAL-RPT-OLE - HTTP: Microsoft Visual Studio Crystal Reports RPT File Handling Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Visual Studio. A successful attack can lead to a arbitrary remote code execution within the context of the application.

Supported On:

References:

bugtraq: 21261
cve: CVE-2006-6133

Affected Products:

Business_objects crystal_reports_xi_professional
Business_objects business_objects_enterprise XIr2
Business_objects crystal_reports_for_visual_studio_.net_2005 10.2
Business_objects crystal_reports_for_visual_studio_.net_2003
Business_objects crystal_reports_for_visual_studio_.net_2002
Microsoft visual_studio_.net_2003_enterprise_architect
Microsoft visual_studio_2005_team_edition_for_testers
Microsoft visual_studio_2005
Microsoft visual_studio_.net_professional_edition
Microsoft visual_studio_.net_enterprise_architect_edition
Microsoft visual_studio_.net_enterprise_developer_edition
Microsoft visual_studio_.net_academic_edition
Microsoft visual_studio_.net_2002 SP1
Microsoft visual_studio_.net_2003 SP1
Microsoft visual_studio_2005_team_edition
Business_objects crystal_enterprise 10.0.0
Microsoft visual_studio_.net_2003
Microsoft visual_studio_2005_standard_edition
Microsoft visual_studio_2005_professional_edition
Microsoft visual_studio_2005_team_edition_for_developers
Microsoft visual_studio_2005_team_edition_for_architects
Business_objects businessobjects_enterprise_xi
Microsoft visual_studio_2005 SP1
Microsoft visual_studio_.net_2002

SPYWARE:RAT:FEAR2-0 - SPYWARE: Fear2-0

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware Fear v2.0, a remote administration tool. This spyware enables remote attackers to control an infected host.

Supported On:

References:

SPYWARE:RAT:ANALRAPE-ICQ-NOTIFY - SPYWARE: Anal Rape 1.0 ICQ Notification

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware Anal Rape 1.0, a remote administration tool. This spyware enables remote attackers to control an infected host.

Supported On:

References:

url: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075845

SPYWARE:GM:TWISTER - SPYWARE: Twister

Severity: LOW

Description:

This signature detects the runtime behavior of Twister, a free program for finding and downloading MP3 and other music files on the Internet. After installation, this spyware also downloads and installs other spyware applications.

Supported On:

References:

APP:HPOV:NNM-LOGIN-BOF - APP: HP OpenView Network Node Manager ovsessionmgr.exe Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP OpenView Network Node Manager (NNM). The vulnerability is due to a boundary error in ovsessionmgr.exe when processing the 'userid' and 'passwd' parameters sent in an HTTP POST request. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server, potentially causing arbitrary code to be injected and executed in the security context of the SYSTEM user. In an attack scenario, where arbitrary code is injected and executed on the target machine, the behavior of the target is dependent on the logic of the malicious code.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 37330
bugtraq: 37295
cve: CVE-2009-3846
cve: CVE-2009-4176

Affected Products:

Hp openview_network_node_manager 7.53
Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.50
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.50.0 HP-UX 11.X
Hp openview_network_node_manager 7.50.0 Solaris
Hp openview_network_node_manager 7.50.0 Windows 2000/XP
Hp openview_network_node_manager 7.50.0 Linux
Hp openview_network_node_manager 7.50.0

SPYWARE:RAT:ANALFTP - SPYWARE: AnalFTP

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware AnalFTP, a remote administration tool. This spyware enables remote attackers to make FTP connections to an infected computer and execute general commands and executable files on the system.

Supported On:

References:

SPYWARE:RAT:MINIOBLIVION - SPYWARE: MiniOblivion

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware MiniOblivion, a remote administration tool. This spyware enables remote attackers to connect to an infected host, then upload and run arbitrary files.

Supported On:

References:

HTTP:STC:DL:XLS-MDXTUPLE-BIFF - HTTP: Microsoft Office Excel MDXTUPLE Record Heap Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulnerability in Microsoft Office Excel. It is due to a flaw while parsing MDXTUPLE BIFF records. Remote attackers can exploit this by enticing target users to open a malicious Excel file, potentially causing arbitrary code to be injected and executed in the security context of the currently logged on user. In an successful attack, the behavior of the target is dependent on the logic of the malicious code. In an unsuccessful attack, the vulnerable application can terminate abnormally.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 38551
cve: CVE-2010-0260

Affected Products:

Microsoft excel_2007
Microsoft office_compatibility_pack_2007 SP2
Microsoft office_compatibility_pack_2007 SP1
Microsoft excel_viewer
Microsoft office_compatibility_pack_2007
Microsoft excel_2007 SP1
Microsoft excel_2007 SP2
Microsoft excel_viewer SP1
Microsoft excel_viewer SP2

P2P:MISC:MEDIASEEK-PL-CLIENT - P2P: MediaSeek-pl Client

Severity: LOW

Description:

This signature detects the runtime behavior of MediaSeek.pl Client, a P2P file-sharing application. This spyware contains a Web-based interface that enables users to search for and download MP3 files. It also displays advertisements and installs other spyware, such as Gator, on the host.

Supported On:

References:

SPYWARE:GM:ALBUMGALAXY - SPYWARE: Album Galaxy

Severity: LOW

Description:

This signature detects the runtime behavior of Album Galaxy, an P2P MP3 file-sharing application. This spyware generates pop-up advertisements and installs other spyware, such as Bargain Buddy and WeatherCast.

Supported On:

References:

SPYWARE:TROJAN:SANDESA-ICQNOTIF - SPYWARE: Sandesa

Severity: MEDIUM

Description:

This signature detects the runtime behavior of spyware Sandesa, a Trojan downloader. This spyware downloads and executes files from a predefined Web site. It also sends an ICQ message to notify a remote attacker that the Trojan was executed.

Supported On:

References:

SPYWARE:AD:PACIMEDIA - SPYWARE: Pacimedia

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Pacimedia, an adware application. After installation, this spyware downloads and installs other adware and spyware, such as BookedSpace, BargainBuddy, Ebates Moneymaker, VirtualBouncer, ExactSearchBar, and EliteBar.

Supported On:

References:

APP:HPOV:CVE-2010-0447-RCE - APP: HP Performance Insight Helpmanager Servlet Remote Code Execution

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against HP OpenView. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2010-0447

Affected Products:

Hp openview_performance_insight up to 5.4

SPYWARE:KL:EYESPYPRO - SPYWARE: Eye Spy Pro

Severity: CRITICAL

Description:

This signature detects the runtime behavior of spyware Eye Spy Pro, a keylogger. This spyware records all keystrokes typed by a user, takes screen captures, and e-mails log files.

Supported On:

References:

SPYWARE:DM:MYNAPSTER - SPYWARE: MyNapster

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware MyNapster. This spyware generates advertisements, uses a BFast tracking cookie to monitor user Web activity, and gathers personal information.

Supported On:

References:

SPYWARE:BH:EXCITESEARCHBAR - SPYWARE: Excite Search Bar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Excite Search Bar, an Internet Explorer browser hijacker. This spyware generates pop-up advertisements periodically.

Supported On:

References:

HTTP:STC:MOZILLA:XBL-TAG-RM - HTTP: Mozilla Firefox XBL Event Handler Tags Removal Memory Corruption

Severity: HIGH

Description:

There exists a memory corruption vulnerability in Mozilla Foundation's family of browser products. The flaw exists in the XBL (Extensible Binding Language) component and specifically happens via dynamic manipulation of XUL Tags inside Event Handlers. A remote attacker can exploit this vulnerability to execute arbitrary code in the security context of the target browser. An attack targeting this vulnerability can result in the injection and execution of arbitrary code. If code execution is successful, the behaviour of the target will depend on the intention of the attacker. Any injected code will be executed within the security context of the currently logged in user. In the case of an unsuccessful code execution attack, Firefox may terminate abnormally.

Supported On:

References:

bugtraq: 26132
cve: CVE-2007-5339

Affected Products:

Suse linux_personal 10.1
Suse linux_professional 10.1
Sun solaris 10 Sparc
Red_hat enterprise_linux_desktop 5 Client
Debian iceape 1.0.10
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Red_hat enterprise_linux_optional_productivity_application 5 Server
Ubuntu ubuntu_linux 6.06 LTS Amd64
Suse novell_linux_pos 9
Mozilla firefox 2.0 Beta 1
Red_hat desktop 4.0.0
Red_hat enterprise_linux_es 3
Slackware linux 10.2.0
Gentoo linux
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Red_hat desktop 3.0.0
Suse linux_personal 10.2
Suse linux_personal 10.2 X86 64
Suse linux_professional 10.2 X86 64
Suse linux_professional 10.2
Ubuntu ubuntu_linux 6.10 Amd64
Ubuntu ubuntu_linux 6.10 I386
Ubuntu ubuntu_linux 6.10 Powerpc
Ubuntu ubuntu_linux 6.10 Sparc
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Debian iceweasel
Suse opensuse 10.3
Mozilla camino 1.0.3
Suse linux 10.1 X86
Suse linux 10.1 X86-64
Suse linux 10.1 Ppc
Suse linux 10.0 Ppc
Suse linux 10.0 X86
Suse linux 10.0 X86-64
Suse suse_linux_enterprise_server 8
Mozilla firefox 2.0.0.5
Mozilla thunderbird 2.0.0.5
Hp hp-ux B.11.31
Mandriva corporate_server 4.0.0 X86 64
Ubuntu ubuntu_linux 6.06 LTS I386
Suse open-enterprise-server
Mozilla firefox 2.0.0.7
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Red_hat fedora 7
Ubuntu ubuntu_linux 7.10 I386
Ubuntu ubuntu_linux 7.10 Powerpc
Suse suse_linux_retail_solution 8.0.0
Avaya intuity_audix_lx 2.0
Mozilla seamonkey 1.1.3
Mozilla firefox 2.0 RC2
Mozilla firefox 2.0 RC3
Red_hat enterprise_linux_as 2.1
Red_hat enterprise_linux_es 2.1
Red_hat enterprise_linux_ws 2.1
Mozilla firefox 2.0.0.2
Mozilla firefox 2.0.0.3
Hp hp-ux B.11.23
Mozilla firefox 2.0.0.4
Mandriva linux_mandrake 2007.1 X86 64
Mozilla thunderbird 2.0.0.4
Mozilla seamonkey 1.1.2
Debian linux 4.0 Powerpc
Avaya messaging_storage_server 3.1
Avaya message_networking 3.1
Ubuntu ubuntu_linux 7.10 Sparc
Red_hat enterprise_linux_as 3
Sun solaris 10 X86
Red_hat enterprise_linux_ws 3
Rpath rpath_linux 1
Hp hp-ux B.11.11
Mozilla camino 1.0
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_standard_server 8.0.0
Mozilla seamonkey 1.1.1
Mandriva corporate_server 4.0
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Mozilla seamonkey 1.1 Beta
Debian iceape 1.0.11
Slackware linux 12.0
Ubuntu ubuntu_linux 7.04 Amd64
Ubuntu ubuntu_linux 7.04 I386
Ubuntu ubuntu_linux 7.04 Powerpc
Ubuntu ubuntu_linux 7.04 Sparc
Suse novell_linux_desktop 9.0.0
Mandriva corporate_server 3.0.0
Suse opensuse 10.2
Mozilla firefox 2.0
Mozilla camino 1.0.1
Mozilla camino 1.0.2
Ubuntu ubuntu_linux 7.10 Amd64
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Warpzilla_enhanced gecko 1.8.1.7
Debian linux 4.0 S/390
Debian linux 4.0 Sparc
Debian linux 4.0
Red_hat advanced_workstation_for_the_itanium_processor 2.1.0
Mozilla firefox 2.0.0.6
Mozilla thunderbird 2.0.0.6
Mozilla seamonkey 1.1.4
Avaya messaging_storage_server MM3.0
Foresight_linux foresight_linux 1.1
Suse suse_linux_enterprise_server 9
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Red_hat enterprise_linux Desktop Version 4
Red_hat fedora Core6
Avaya message_networking MN 3.1
Mandriva linux_mandrake 2007.1
Slackware linux 11.0
Debian iceape 1.1.1
Slackware linux -Current
Ubuntu ubuntu_linux 6.06 LTS Sparc
Suse suse_linux_enterprise_desktop 10 SP1
Suse suse_linux_enterprise_server 10 SP1
Mandriva corporate_server 3.0.0 X86 64
Mozilla firefox 2.0.0.1
Suse linux_professional 10.0.0
Mozilla camino 1.5.1
Mozilla camino 1.5

SPYWARE:AD:MEDIATICKETS - SPYWARE: Mediatickets

Severity: LOW

Description:

This signature detects the runtime behavior of Mediatickets, a spyware program. This spyware displays advertisements and reduces the security settings in Internet Explorer.

Supported On:

References:

SPYWARE:BH:CWS-GONNASEARCH - SPYWARE: CoolWebSearch-GonnaSearch

Severity: LOW

Description:

This signature detects the runtime behavior of spyware CoolWebSearch.GonnaSearch, a variant of CoolWebSearch. This spyware installs browser helper objects without user consent, redirects search results to http://www.gonnasearch.com, and modifies browser settings.

Supported On:

References:

APP:HPOV:OPE-AGENT-CODA-BO - APP: HP Operations Agent Opcode coda.exe Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the HP Operations Agent. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2012-2019
cve: CVE-2012-2020
bugtraq: 54362

Affected Products:

Hp operations_agent 11.03
Hp operations_agent 11.01
Hp operations_agent 11.0
Hp performance_agent 5.0
Hp operations_agent 8.60

SPYWARE:BH:THECOOLBAR - SPYWARE: TheCoolbar

Severity: LOW

Description:

This signature detects the runtime behavior of spyware TheCoolbar, an adware application. This spyware modifies Internet Explorer settings and generates pop-up advertisements.

Supported On:

References:

SMB:TRANSACTION-RESPONSE-OF - SMB: Microsoft Windows SMB Client Transaction Response Buffer Overflow

Severity: CRITICAL

Description:

A remote code execution vulnerability exists in Microsoft Windows SMB Client. The vulnerability is due to improper validation of certain fields when handling SMB transaction responses. Remote unauthenticated attackers could exploit this vulnerability by enticing a user to connect to a malicious SMB server and sending a specially crafted SMB response to the target machine. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the operating system kernel. Code injection that does not result in execution could crash the target system, and result in a Denial of Service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 39339
cve: CVE-2010-0270

Affected Products:

Microsoft windows_7_for_32-bit_systems
Microsoft windows_7_for_x64-based_systems
Nortel_networks ensm-enterprise_nms 10.4
Nortel_networks ensm-enterprise_nms 10.5
Microsoft windows_server_2008_for_x64-based_systems R2
Microsoft windows_server_2008_for_itanium-based_systems R2
Nortel_networks callpilot 600R
Nortel_networks contact_center-tapi_server
Nortel_networks contact_center_ncc
Nortel_networks ensm_ip_address_manager
Avaya messaging_application_server
Avaya messaging_application_server MM 3.0
Avaya messaging_application_server MM 3.1
Avaya meeting_exchange-enterprise_edition
Nortel_networks symposium_agent
Nortel_networks callpilot 1005R
Nortel_networks contact_center_administration_ccma 7.1
Nortel_networks contact_center_manager_server 7.1
Nortel_networks contact_center_express 7.1
Nortel_networks callpilot 703T
Nortel_networks contact_center_manager_server
Nortel_networks callpilot 201I
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Avaya messaging_application_server MM 1.1
Nortel_networks contact_center_administration
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Nortel_networks callpilot 202I
Nortel_networks contact_center_express
Nortel_networks contact_center_manager
Nortel_networks contact_center_manager_server 6.0
Avaya messaging_application_server MM 2.0
Nortel_networks contact_center_administration_ccma 7.0
Nortel_networks contact_center_administration_ccma 6.0
Nortel_networks callpilot 1002Rp
Nortel_networks contact_center_manager_server 7.0

SPYWARE:AD:COMTRYMUSICDL - SPYWARE: ComTry Music Downloader

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware ComTry Music Downloader. This spyware displays pop-up advertisements based on user Web activity. It also installs other spyware such as Aureate/Radiate on the infected host and periodically updates itself.

Supported On:

References:

HTTP:INFO-LEAK:IBM-FP-SERLET - HTTP: IBM Rational Focal Point Login And RequestAccessController Servlet Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in IBM Rational Focal Point. A remote, unauthenticated attacker could exploit this vulnerability to read the configuration files of the Webservice Axis Gateway of Focal Point.

Supported On:

References:

bugtraq: 64338
bugtraq: 64339
cve: CVE-2013-5397
cve: CVE-2013-5398

Affected Products:

Ibm rational_focal_point 6.5.2.3
Ibm rational_focal_point 6.5.2
Ibm rational_focal_point 6.4.1.3
Ibm rational_focal_point 6.6.0.1
Ibm rational_focal_point 6.6
Ibm rational_focal_point 6.5.1
Ibm rational_focal_point 6.6.1
Ibm rational_focal_point 6.4

HTTP:CGI:NAGIOS-CORE-DOS - HTTP: Nagios core CGI Process_cgivars Off-By-One

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Nagios core. The problem is caused by improper boundary check when validating the parameters passed to the application. A remote authenticated attacker could exploit this vulnerability by sending a request with a crafted long parameter value. Successful exploitation could result in the CGI crash.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 64363
cve: CVE-2013-7108

Affected Products:

Icinga icinga 1.9.0
Icinga icinga 1.2.1
Nagios nagios 3.0 (rc2)
Nagios nagios 3.0.5
Icinga icinga 1.8.3
Icinga icinga 1.2.0
Icinga icinga 1.7.4
Icinga icinga 0.8.4
Nagios nagios 3.0 (beta2)
Icinga icinga 1.9.3
Nagios nagios 3.0.1
Icinga icinga 1.3.1
Icinga icinga 1.9.2
Icinga icinga 1.7.2
Icinga icinga up to 1.8.4
Icinga icinga 1.7.3
Icinga icinga 1.0.1
Nagios nagios 3.0 (beta3)
Nagios nagios 3.0 (alpha3)
Icinga icinga 1.7.0
Icinga icinga 0.8.0
Nagios nagios up to 4.0.2
Nagios nagios 3.3.1
Icinga icinga 1.0 (rc1)
Nagios nagios 3.0 (beta1)
Icinga icinga 1.0.3
Icinga icinga 0.8.1
Nagios nagios 3.0 (alpha1)
Icinga icinga 1.9.1
Nagios nagios 3.4.3
Icinga icinga 1.0.2
Icinga icinga 0.8.2
Nagios nagios 3.5.1
Icinga icinga 1.7.1
Nagios nagios 3.4.2
Icinga icinga 1.8.1
Icinga icinga 0.8.3
Nagios nagios 3.0 (alpha2)
Nagios nagios 3.2.1
Nagios nagios 3.4.1
Icinga icinga 1.4.1
Nagios nagios 3.0 (alpha4)
Nagios nagios 3.2.0
Nagios nagios 3.0 (rc3)
Icinga icinga 1.6.0
Nagios nagios 3.0 (beta6)
Icinga icinga 1.4.0
Nagios nagios 3.2.3
Nagios nagios 3.1.2
Nagios nagios 3.2.2
Icinga icinga 1.10.1
Nagios nagios 3.0 (beta7)
Icinga icinga 1.8.0
Nagios nagios 3.0.6
Nagios nagios 3.0 (alpha5)
Icinga icinga 1.10.0
Icinga icinga 1.6.1
Nagios nagios 3.1.0
Icinga icinga 1.6.2
Nagios nagios 3.0.4
Nagios nagios 3.4.0
Icinga icinga 1.3.0
Nagios nagios 3.0 (beta5)
Nagios nagios 3.0.3
Icinga icinga 1.8.2
Nagios nagios 3.0 (rc1)
Nagios nagios 3.0 (beta4)
Nagios nagios 3.1.1
Nagios nagios 3.0.2

SPYWARE:KL:PROAGENT - SPYWARE: ProAgent

Severity: HIGH

Description:

This signature detects the runtime behavior of spyware ProAgent, a keylogger. This spyware records all keystrokes, active window texts, visited Web sites, usernames, and passwords, then e-mails the report to a predefined e-mail address.

Supported On:

References:

SPYWARE:AD:ZENOSEARCH - SPYWARE: ZenoSearch

Severity: LOW

Description:

This signature detects the runtime behavior of spyware ZenoSearch. This spyware monitors user Web activity such as strings entered in search engine queries. It also displays pop-up advertisements.

Supported On:

References:

SPYWARE:AD:SIMBAR - SPYWARE: Simbar

Severity: LOW

Description:

This signature detects the runtime behavior of spyware SimBar, an adware application. This spyware installs a toolbar in the Internet Explorer and redirects an address bar search result to its controlling server (www.simplenter.com). It also downloads and installs code from its controlling server.

Supported On:

References:

HTTP:STC:JAVA:JNDI-BYPASS - HTTP: Oracle Java JNDI Sandbox Bypass

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Java. The vulnerability is due to the insecure getContextClassLoader() method in the JNDI component. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to visit a webpage containing a maliciously crafted Java applet. Successful exploitation could result in arbitrary code execution in the context of the currently logged in user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 64921
cve: CVE-2014-0422

Affected Products:

Oracle jre 1.7.0 (update_45)
Oracle jdk 1.6.0 (update_65)
Oracle jre 1.6.0 (update_65)
Oracle jdk 1.5.0 (update_55)
Oracle jre 1.5.0 (update_55)
Oracle jdk 1.7.0 (update_45)

SPYWARE:AD:VIEWPOINTMEDIA - SPYWARE: Viewpoint Media Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Viewpoint Media Toolbar, an adware application. This spyware generates pop-up advertisements and hijacks user search queries. It also transmits information to its controlling server.

Supported On:

References:

TROJAN:ITSOKNOPROBLEMBRO-CNC - TROJAN: itsoknoproblembro Command and Control

Severity: HIGH

Description:

This signature detects the command-and-control communication of a trojan known as "itsoknoproblembro", a DDoS tool. This trojan enables remote attackers to initiate large volumes of DDoS attacks by leveraging infected host's system and network resources.

Supported On:

idp-5.1.110161014, DI-Server, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

url: http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/

HTTP:STC:STREAM:ASF-WMP - HTTP: Microsoft Windows Media Format ASF Parsing Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known multiple buffer overflow vulnerabilities in Microsoft Windows Media Format processing engine. It is caused due to a boundary error when processing Advanced Systems Format (ASF) files. A remote attacker can exploit this by enticing the target user to open crafted ASF file, which if successful, allows arbitrary code to be injected and executed in the security context of the currently logged in user. The behavior of the target host is entirely dependent on the intended function of the injected code. In an unsuccessful attack, the affected application stops functioning and terminates.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 26776
cve: CVE-2007-0064

Affected Products:

Avaya messaging_application_server MM 3.1
Microsoft windows_media_format 9.5 x64
Hp storage_management_appliance 2.1
Microsoft windows_media_format 7.1
Microsoft windows_media_format 11
Microsoft windows_media_format 9.5
Hp storage_management_appliance I
Hp storage_management_appliance II
Hp storage_management_appliance III
Avaya messaging_application_server MM 2.0
Microsoft windows_media_services 9.1
Avaya messaging_application_server MM 1.1
Avaya messaging_application_server
Microsoft windows_media_services 9.1 x64
Avaya messaging_application_server MM 3.0
Microsoft windows_media_format 9.0

HTTP:STC:DL:WORD-SPRM-MEM - HTTP: Microsoft Word Crafted Sprm Structure Stack Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known memory corruption vulnerability in Microsoft Word products. It is due to improper handling of crafted record size in Word documents. An attacker can exploit this by persuading the target user to open a malicious Word document. A successful attack can allow for arbitrary code injection and execution with privileges of the currently logged on user. If successful, the behavior of the target depends on the intention of the attacker and the injected code is executed within the security context of the currently logged in user. In an unsuccessful code execution attack, the affected product terminates resulting in the loss of any unsaved data from the current session.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 32584
cve: CVE-2008-4837

Affected Products:

Microsoft outlook_2007_sp1
Microsoft works 8.5
Microsoft word_2000 SP3
Microsoft office_compatibility_pack_2007 SP1
Microsoft word_viewer
Microsoft word_2002 SP3
Microsoft office_compatibility_pack_2007
Microsoft word_viewer_2003 SP3
Microsoft word_2007
Microsoft word_2003 SP2
Microsoft word_2007 SP1
Microsoft word_2003 SP3
Microsoft outlook_2007

SPYWARE:AD:GOLDENPALACECASINO - SPYWARE: Golden Palace Casino

Severity: LOW

Description:

This signature detects the runtime behavior of Golden Palace Casino, an adware application. This spyware displays pop-up advertisements. It also downloads additional executables from the Web and updates itself periodically.

Supported On:

References:

url: http://www.goldenpalace.com/

SPYWARE:KL:MASSCONNECT - SPYWARE: maSs coNNect

Severity: MEDIUM

Description:

This signature detects the runtime behavior of maSs coNNect 1.1, a keylogger. This spyware records user activity and enables remote attackers to retrieve the log files stored on the infected host.

Supported On:

References:

url: http://www.megasecurity.org/trojans/m/massconnect/Massconnect1.1.html

HTTP:STC:DIRECTX-AVI-WAV-PARSE - HTTP: Microsoft DirectX WAV and AVI File Parsing Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulnerability in Microsoft DirectX application framework. It is due to the way certain DirectX libraries handle specially crafted WAV and AVI files. A remote attacker can exploit this by persuading a user to open a specially crafted WAV or AVI file, potentially causing arbitrary code to be injected and executed in the security context of the logged in user. In a successful code injection attack, the behavior of the target host is entirely dependent on the intended function of the injected code and execute within the security context of the current user. In an unsuccessful attack, the application utilizing the vulnerable DirectX library terminates.

Supported On:

References:

bugtraq: 26804
cve: CVE-2007-3895

Affected Products:

Microsoft directx 7.0
Microsoft directx 10.0
Microsoft directx 8.1
Microsoft directx 9.0c

APP:CHKPOINT-FW-WEBUI-REDIRECT - APP: CheckPoint Firewall WebUI Arbitrary Site Redirect

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the CheckPoint Firewall WebUI. It is due to insufficient validation of user-supplied input. A successful exploit may aid in phishing attacks, other attacks are possible.

Supported On:

SPYWARE:AD:BTGRAB - SPYWARE: BTGrab

Severity: LOW

Description:

This signature detects the runtime behavior of BTGrab, an adware application. This spyware generates advertisements and installs other spywares such as Callinghome.biz and ABetterInternet.

Supported On:

References:

SPYWARE:AD:DIVXPRO - SPYWARE: DivXPro

Severity: LOW

Description:

This signature detects the runtime behavior of DivXPro 5.1.1, an adware application. This spyware displays pop-up advertisements and periodically updates itself.

Supported On:

References:

url: http://www.divx.com/divx/

SPYWARE:AD:YELLOWBRIDGETOOLBAR - SPYWARE: YellowBridge Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of YellowBridge Toolbar, an adware application. This spyware uses tracking cookies such as servedby.advertising.com and fastclick.com to track user Web activity habits.

Supported On:

References:

HTTP:MISC:NG-ARB-FLUPLOAD - HTTP: Netgear ProSAFE NMS300 fileUpload.do Arbitrary File Upload

Severity: MEDIUM

Description:

This signature detects an attempt to exploit a known vulnerability against Netgear ProSAFE. Successful exploitation could allow an attacker to upload arbitrary files which could lead to further attacks.

Supported On:

References:

url: http://seclists.org/fulldisclosure/2016/feb/30
cve: CVE-2016-1524
cve: CVE-2016-1525
bugtraq: 82630
url: https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt
url: http://seclists.org/fulldisclosure/2016/Feb/30

Affected Products:

Netgear prosafe_network_management_software_300 1.5.0.11

SPYWARE:AD:HANSONELLISTOOLBAR - SPYWARE: Hanson Ellis Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of Hanson Ellis Toolbar. This spyware changes browser settings and installs other spyware such as adware CommanderNET on a host.

Supported On:

References:

HTTP:STC:IMG:JPEG-SCRIPT - HTTP: Internet Explorer Cross Site Scripting Via JPEG

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Internet Explorer. Internet Explorer contains a mime type error that enables a file with JPEG extension to be executed as a script. Attackers can include a script within a .jpg file to perform cross site scripting exploits.

Supported On:

References:

bugtraq: 3116
url: http://www.securityfocus.com/archive/1/200291
cve: CVE-2001-0712

Affected Products:

Microsoft internet_explorer 5.5 SP1
Microsoft internet_explorer 5.0.1
Microsoft internet_explorer 5.0
Microsoft internet_explorer 5.0.1 SP2
Microsoft internet_explorer 5.5
Microsoft internet_explorer 5.0.1 SP1

HTTP:MISC:POSTER-SW-PUI-FILE-OF - HTTP: Poster Software PUBLISH-iT PUI File Processing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Poster Software PUBLISH-iT. The vulnerability is due to insufficient validation on the length of entry names in a "styl" record when processing PUI files. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious PUI file. Successful exploitation could result in arbitrary code execution in the context of the currently logged in user.

Supported On:

References:

cve: CVE-2014-0980
bugtraq: 65366

Affected Products:

Poster_software publish_it 3.6d

SPYWARE:RAT:CIA1-22-HTTP - SPYWARE: CIA1-22 (HTTP)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware CIA1.22, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

SPYWARE:RAT:CIA1-22-FTP - SPYWARE: CIA1-22 (FTP)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware CIA1.22, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

SPYWARE:RAT:CIA1-22-ICQ - SPYWARE: CIA1-22 (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware CIA1.22, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

APP:MISC:ARCSERVE-GETBACKUP - APP: Arcserve GetBackupPolicy Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a vulnerability in Arcserve Unified Data Protection Management Service. This can lead to information disclosure.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Arcserve arcserve_unified_data_protection 5.0

SPYWARE:RAT:MINICOMMAND203-ICQ - SPYWARE: Mini Command 2.0.3 (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware MiniCommand2.0.3, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

HTTP:STC:DL:APPLE-QT-OBJI - HTTP: Apple QuickTime Obji Atom Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Apple Quicktime. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the application.

Supported On:

References:

bugtraq: 28583
cve: CVE-2008-1022

Affected Products:

Apple quicktime_player 7.1
Apple tv 2.0
Apple quicktime_player 7.3.1.70
Apple quicktime_player 7.1.5
Apple quicktime_player 7.2
Apple quicktime_player 7.0.1
Apple quicktime_player 7.0.4
Apple quicktime_player 7.4
Apple quicktime_player 7.1.4
Apple quicktime_player 7.0.2
Apple quicktime_player 7.0.3
Apple quicktime_player 7.4.1
Apple quicktime_player 7.3
Apple quicktime_player 7.1.3
Apple quicktime_player 7.1.1
Apple quicktime_player 7.1.2
Apple quicktime_player 7.1.6
Apple tv 1.0
Apple tv 1.1
Apple quicktime_player 7.3.1

SPYWARE:RAT:BEAST202-ICQ - SPYWARE: Beast2.02 (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware Beast2.02, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

SPYWARE:RAT:ASSASSIN1-1-HTTP - SPYWARE: Assassin1-1 (HTTP)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware Assassin1.1, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

HTTP:STC:DL:VISIO-VSD-ICON - HTTP: Microsoft Office Visio VSD File Icon Bits Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known remote code-execution vulnerability in Microsoft Visio. It is due to incorrect handling of the Icon Bits in a crafted Microsoft Visio file. A remote attacker can exploit this by enticing the target user to open a malicious Microsoft Visio file, potentially causing arbitrary code to be injected and executed on the target. In a successful attack, the behavior of the target depends on the intention of the attacker. Any code injected is executed within the security context of the currently logged in user. In an unsuccessful code execution attack, Microsoft Visio terminates resulting in the loss of any unsaved data from the current session.

Supported On:

References:

bugtraq: 33659
cve: CVE-2009-0095

Affected Products:

Microsoft visio_2007 SP1
Microsoft visio_2003 SP3
Microsoft visio_2002 SP2
Microsoft visio_2003 SP2
Microsoft visio_2002_professional SP2
Microsoft visio_2002_standard SP2
Microsoft visio_2003_standard
Microsoft visio_2003_professional
Microsoft visio_2002 SP1
Microsoft visio_2003 SP1
Microsoft visio_2007
Microsoft visio_2002
Microsoft visio_2003

SPYWARE:RAT:EXCEPTION1-0-HTTP - SPYWARE: Exception1-0 (HTTP)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware Exception 1.0, a remote administration tool. This spyware enables remote attackers to completely control an infected host.

Supported On:

References:

SPYWARE:RAT:ERAZER-ICQ - SPYWARE: Erazer (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware Erazer V1.1, a Trojan. This spyware enables attackers to completely control an infected host.

Supported On:

References:

HTTP:CGI:LISTSERV-BO - HTTP: ListServ Multiple Buffer Overflow

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against LSoft LISTSERV. Attackers can exploit numerous buffer overflow vulnerabilities in the LISTSERV code to execute arbitrary code or create a denial of service.

Supported On:

References:

bugtraq: 13768
cve: CVE-2005-1773

Affected Products:

L-soft listserv 1.8.0 d
L-soft listserv 1.8.0 e
L-soft listserv 14.3

HTTP:ORACLE:REPORTS-RCE - HTTP: Oracle Forms and Reports Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Forms and Reports. A successful attack can lead to arbitrary code execution.

Supported On:

References:

cve: CVE-2012-3152
cve: CVE-2012-3153
bugtraq: 55961

Affected Products:

Oracle fusion_middleware 11.1.2.0
Oracle fusion_middleware 11.1.1.4.0
Oracle fusion_middleware 11.1.1.6.0

TROJAN:ROOTKIT-DL - TROJAN: Rootkit Downloader

Severity: HIGH

Description:

This signature detects the download of a Trojan over HTTP in a jpeg file. The Trojan is used to download the ROOTKIT-DL, which can cause loss of system control.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

url: http://en.wikipedia.org/wiki/Rootkit

HTTP:STC:DL:PUB-TEXTBOX - HTTP: Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known stack buffer overflow vulnerability in Microsoft Office Publisher. It is due to the way Publisher parses certain values in a Microsoft Publisher file. Remote attackers can exploit this by enticing the target user to open a malicious file. A successful attack can result in execution of arbitrary code within the security context of the currently logged in user. An unsuccessful attempt terminates the affected application abnormally.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 39347
cve: CVE-2010-0479

Affected Products:

Microsoft publisher_2007 SP1
Microsoft publisher_2007
Microsoft publisher_2003 SP3
Microsoft publisher_2002
Microsoft publisher_2003
Microsoft publisher_2002 SP3
Microsoft publisher_2007 SP2
Microsoft publisher_2003 SP2

HTTP:DOMINO:POST-DOS2 - HTTP: Lotus Domino Post DoS (2)

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Lotus Domino. Attackers can use malformed variables within a Post statement to cause a denial-of-service (DoS) condition.

Supported On:

References:

Affected Products:

Ibm lotus_domino 6.0.3
Ibm lotus_domino 6.5.2
Ibm lotus_domino 6.0.2
Ibm lotus_domino 6.0.1
Ibm lotus_domino 6.0.0
Ibm lotus_domino 6.5.3
Ibm lotus_domino 6.5.0 .0
Ibm lotus_domino 6.5.1
Ibm lotus_domino 6.0.2 CF2

HTTP:PHP:OP5-MONITOR-CI - HTTP: OP5 Monitor Command_test.php Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the command_test.php script of op5 Monitor. Successful exploitation allows the attacker to execute arbitrary code under the security context of the user 'monitor'.

Supported On:

HTTP:STC:ADOBE:PS-CS4-MULTI-BO - HTTP: Adobe Photoshop CS4 Multipe File Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known code execution vulnerability in Adobe Photoshop CS4. It is due to an input validation error while processing ABR (brush) and other graphics files such as ASL and GRD. Remote attackers can exploit this by enticing the target user to open a malicious ABR file. A successful attack can cause a heap buffer overflow that can lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a denial-of-service condition.

Supported On:

References:

bugtraq: 40389
cve: CVE-2010-1296

Affected Products:

Adobe photoshop CS
Adobe photoshop CS3
Adobe photoshop CS2
Adobe photoshop CS4
Adobe photoshop CS4 11.0.0
Adobe photoshop CS4 11.0.1
Adobe photoshop_cs3 10.0

HTTP:STC:DL:XLS-HFPICT - HTTP: Microsoft Office Excel HFPicture Record Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulnerability in Microsoft Office Excel products. It is due to improper parsing of an Excel file that includes a malformed HFPicture record. Remote attackers can exploit this by enticing target users to open a malicious Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user. In a successful attack, the behavior of the target is dependent on the intention of the malicious code. In an unsuccessful attck, the application can terminate as a result of invalid memory access.

Supported On:

References:

bugtraq: 40526
cve: CVE-2010-1248
url: https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/
bugtraq: 40520
cve: CVE-2010-0822

Affected Products:

Avaya messaging_application_server MM 3.1
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Avaya meeting_exchange-webportal
Avaya meeting_exchange-web_conferencing_server
Microsoft excel_2002 SP1
Microsoft excel_2002 SP3
Microsoft office_2004_for_mac
Microsoft excel_2002
Avaya messaging_application_server MM 2.0
Avaya messaging_application_server MM 1.1
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya messaging_application_server
Microsoft excel_2002 SP2
Avaya messaging_application_server MM 3.0

HTTP:STC:DL:WORD-LINK-OBJ - HTTP: Microsoft Office Word HTML Linked Objects Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known memory corruption vulnerability in Microsoft Office Word. If is due to the application incorrectly handling a malformed plcffldMom record. This can be exploited by remote attackers to execute arbitrary code on the target system by enticing a user to open a maliciously crafted file. In a successful attack the injected code runs within the security context of the currently logged in user. In an unsuccessful attack, the vulnerable application can terminate abnormally.

Supported On:

References:

bugtraq: 42130
cve: CVE-2010-1903

Affected Products:

Microsoft word_viewer
Microsoft word_2002 SP3
Microsoft word_2003 SP1
Microsoft word_2003 SP2
Microsoft word_2003 SP3
Microsoft word_2002 SP2
Microsoft word_2002 SP1

SPYWARE:BP:ETCETERASEARCH - SPYWARE: Etcetera Search

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Etcetera search, a free Web search plug-in for Microsoft Internet Explorer. This spyware installs other spyware such as WhenU.SaveNow on a user's computer.

Supported On:

References:

HTTP:SQL:INJ:VIRT-MOB-INFRA-CE - HTTP: Trend Micro Virtual Mobile Infrastructure Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Trend Micro Virtual Mobile Infrastructure. Successful exploitation could lead to arbitrary code execution.

Supported On:

References:

Affected Products:

Trend_micro virtual_mobile_infrastructure 5.0

SPYWARE:AD:HSADVISORTOOLBAR - SPYWARE: HSAdvisor Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of HSAdvisor Toolbar. This spyware installs additional spyware such as FizzleBar, which creates pop-up advertisments and the Softomate browser hijacker, which redirects search attempts to a different site.

Supported On:

References:

HTTP:STC:ADOBE:CVE-2013-5332-CE - HTTP: Adobe Reader CVE-2013-5332 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Reader. A successful attack can lead to memory corruption and arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2013-5332
bugtraq: 64201

Affected Products:

Adobe adobe_air_sdk 3.8.0.910
Adobe flash_player up to 11.9.900.152
Adobe flash_player 11.0.1.152
Adobe adobe_air_sdk 3.5.0.1060
Adobe flash_player 11.6.602.180
Adobe adobe_air 3.9.0.1030
Adobe adobe_air 3.7.0.1530
Adobe flash_player 11.2.202.243
Adobe adobe_air 3.5.0.890
Adobe adobe_air 3.7.0.1860
Adobe flash_player 11.5.502.135
Adobe flash_player 11.3.300.257
Adobe flash_player 11.2.202.285
Adobe adobe_air 3.1.0.4880
Adobe flash_player 11.1.102.59
Adobe flash_player 11.4.402.265
Adobe flash_player 11.3.300.268
Adobe adobe_air_sdk 3.7.0.1530
Adobe adobe_air 3.5.0.1060
Adobe flash_player 11.6.602.167
Adobe adobe_air 3.6.0.597
Adobe adobe_air_sdk 3.7.0.2090
Adobe adobe_air_sdk 3.5.0.890
Adobe flash_player 11.2.202.228
Adobe adobe_air 3.5.0.880
Adobe adobe_air_sdk 3.6.0.599
Adobe flash_player 11.2.202.251
Adobe flash_player 11.2.202.297
Adobe flash_player 11.2.202.262
Adobe flash_player 11.9.900.117
Adobe adobe_air 3.7.0.2090
Adobe flash_player 11.3.300.262
Adobe flash_player 11.5.502.146
Adobe flash_player 11.1.102.55
Adobe flash_player 11.1.115.34
Adobe flash_player 11.2.202.270
Adobe adobe_air_sdk 3.5.0.880
Adobe adobe_air 3.1.0.488
Adobe flash_player 11.2.202.291
Adobe flash_player 11.0
Adobe flash_player 11.7.700.169
Adobe flash_player 11.3.300.273
Adobe adobe_air_sdk 3.2.0.2070
Adobe flash_player 11.3.300.271
Adobe flash_player 11.2.202.258
Adobe flash_player up to 11.2.202.327
Adobe adobe_air 3.3.0.3670
Adobe flash_player 11.2.202.235
Adobe adobe_air_sdk 3.1.0.488
Adobe flash_player 11.2.202.310
Adobe flash_player 11.1.102.63
Adobe adobe_air 3.2.0.2070
Adobe adobe_air 3.4.0.2540
Adobe adobe_air up to 3.9.0.1210
Adobe flash_player 11.8.800.168
Adobe flash_player 11.8.800.97
Adobe flash_player 11.2.202.233
Adobe flash_player 11.2.202.223
Adobe adobe_air_sdk up to 3.9.0.1210
Adobe flash_player 11.7.700.202
Adobe adobe_air 3.8.0.870
Adobe flash_player 11.0.1.153
Adobe flash_player 11.5.502.136
Adobe adobe_air_sdk 3.7.0.1860
Adobe adobe_air_sdk 3.8.0.870
Adobe adobe_air 3.2.0.207
Adobe flash_player 11.4.402.278
Adobe flash_player 11.1.115.54
Adobe flash_player 11.1.115.48
Adobe adobe_air 3.4.0.2710
Adobe adobe_air 3.5.0.600
Adobe flash_player 11.6.602.168
Adobe flash_player 11.2.202.280
Adobe flash_player 11.1.115.58
Adobe adobe_air 3.6.0.6090
Adobe adobe_air_sdk 3.4.0.2540
Adobe adobe_air_sdk 3.4.0.2710
Adobe adobe_air up to 3.9.0.1060
Adobe adobe_air_sdk 3.5.0.600
Adobe adobe_air_sdk 3.3.0.3690
Adobe adobe_air_sdk 3.3.0.3650
Adobe flash_player 11.7.700.242
Adobe flash_player 11.1.115.7
Adobe adobe_air_sdk 3.0.0.4080
Adobe flash_player 11.2.202.261
Adobe flash_player 11.4.402.287
Adobe flash_player 11.3.300.265
Adobe flash_player 11.7.700.224
Adobe flash_player 11.1
Adobe flash_player 11.1.111.44
Adobe flash_player 11.7.700.252
Adobe flash_player 11.2.202.273
Adobe adobe_air 3.1.0.485
Adobe flash_player 11.2.202.238
Adobe flash_player 11.2.202.275
Adobe flash_player 11.3.300.270
Adobe adobe_air 3.0.0.408
Adobe adobe_air 3.8.0.910
Adobe flash_player 11.5.502.110
Adobe flash_player 11.1.102.62
Adobe flash_player 11.1.111.54
Adobe flash_player 11.2.202.236
Adobe flash_player 11.7.700.232
Adobe flash_player 11.1.111.8
Adobe flash_player 11.5.502.149
Adobe flash_player 11.8.800.94
Adobe flash_player 11.1.111.50
Adobe adobe_air_sdk 3.6.0.6090
Adobe adobe_air_sdk 3.9.0.1030
Adobe flash_player 11.6.602.171
Adobe adobe_air 3.0.0.4080

HTTP:PHP:TIKIWIKI-CMD-EXEC - HTTP: TikiWiki Upload PHP Command Execution

Severity: MEDIUM

Description:

This signature detects an attempt to exploit a known vulnerability against the TikiWiki CMS server application. A maliciously crafted file uploaded to the TikWiki CMS server application, can allow an attacker to execute arbitrary code within the context of the Web server's permissions.

Supported On:

References:

bugtraq: 10100
url: http://tikiwiki.org/tiki-read_article.php?articleId=66
cve: CVE-2004-1928
url: http://security.gentoo.org/glsa/glsa-200501-12.xml

Affected Products:

Tikiwiki_project tikiwiki 1.8.0
Tikiwiki_project tikiwiki 1.8.1

HTTP:PHP:CACTI-RRD-FILE-INC - HTTP: Cacti RRD Remote File Inclusion

Severity: HIGH

Description:

This signature detects an attempt to force the Cacti RRD PHP application to include a remote file for configuration. This vulnerability could lead to compromise of the remote server and privilege escalation.

Supported On:

References:

url: http://www.cacti.net/release_notes_0_8_6e.php
url: http://www.idefense.com/application/poi/display?id=265&type=vulnerabilities
url: http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
bugtraq: 14129
cve: CVE-2005-1524

Affected Products:

Raxnet cacti 0.6.8 a
Suse linux_personal 9.3.0
Debian linux 3.0.0 Alpha
Debian linux 3.0.0 Arm
Debian linux 3.0.0 Ia-32
Suse linux_personal 9.1.0
Debian linux 3.0.0 Hppa
Debian linux 3.0.0 M68k
Debian linux 3.0.0 Mips
Debian linux 3.0.0 Mipsel
Debian linux 3.0.0 Ppc
Debian linux 3.0.0 S/390
Debian linux 3.0.0 Sparc
Suse linux_professional 9.1.0
Suse linux_professional 9.2.0
Suse linux_professional 9.3.0
Raxnet cacti 0.8.6 d
Suse linux_professional 9.2.0 X86 64
Suse linux_professional 9.1.0 X86 64
Debian linux 3.0.0 Ia-64
Raxnet cacti 0.8.0
Raxnet cacti 0.8.1
Raxnet cacti 0.8.2
Raxnet cacti 0.8.2 a
Raxnet cacti 0.8.3 a
Raxnet cacti 0.8.3
Raxnet cacti 0.8.4
Raxnet cacti 0.8.5
Raxnet cacti 0.8.5 a
Suse linux_personal 9.2.0 X86 64
Suse linux_personal 9.1.0 X86 64
Raxnet cacti 0.5.0
Raxnet cacti 0.6.0
Raxnet cacti 0.6.1
Raxnet cacti 0.6.2
Raxnet cacti 0.6.3
Raxnet cacti 0.6.4
Raxnet cacti 0.6.5
Raxnet cacti 0.6.6
Raxnet cacti 0.6.7
Raxnet cacti 0.6.8
Debian linux 3.0.0
Raxnet cacti 0.8.6 c
Conectiva linux 10.0.0
Debian linux 3.1.0 Ia-64
Debian linux 3.1.0
Debian linux 3.1.0 Alpha
Debian linux 3.1.0 Arm
Debian linux 3.1.0 Hppa
Debian linux 3.1.0 Ia-32
Suse linux_personal 9.2.0
Conectiva linux 9.0.0
Debian linux 3.1.0 Mips
Debian linux 3.1.0 Mipsel
Debian linux 3.1.0 Ppc
Debian linux 3.1.0 S/390
Raxnet cacti 0.8.6 a
Suse linux_personal 9.3.0 X86 64
Raxnet cacti 0.8.6 b
Suse linux_professional 9.3.0 X86 64
Debian linux 3.1.0 M68k
Debian linux 3.1.0 Sparc
Raxnet cacti 0.8.6 e
Raxnet cacti 0.8.6

TROJAN:EAGHOUSE - TROJAN: EagHouse

Severity: HIGH

Description:

This signature detects EagHouse SMTP traffic. This Trojan horse program collects passwords from a target system and periodically mails the list to a central location.

Supported On:

References:

HTTP:CGI:APM-ACC-BYPASS - HTTP: Cyclades AlterPath Manager Access Bypass

Severity: MEDIUM

Description:

This signature detects an attack against the Cyclades AlterPath Manager. A successful attack can allow unauthorized access to the management console.

Supported On:

References:

url: http://www.cirt.net/advisories/alterpath_console.shtml
cve: CVE-2005-0541

SPYWARE:GM:SEARCHBOSS - SPYWARE: SearchBoss Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of SearchBoss. SearchBoss is a toolbar and search engine that allows advertisers to receive visitors on a cost-per-click basis. SearchBoss collects a user's system information, such as the IP address, operating system information, and browser version.

Supported On:

References:

HTTP:PHP:WP-GRAND-FLASH-ALBUM - HTTP: Wordpress GRAND Flash Album Gallery Plugin Directory Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against the Wordpress GRAND Flash Album Gallery Plugin. Attackers can use maliciously crafted HTTP requests to list arbitrary directories on the affected server.

Supported On:

References:

url: http://wordpress.org/extend/plugins/flash-album-gallery/

SPYWARE:BH:EXACTSEEK - SPYWARE: ExactSeek

Severity: LOW

Description:

This signature detects the runtime behavior of ExactSeek. ExactSeek modifies Internet Explorer search settings and installs additional spyware on a user's computer, such as FizzleBar, which generates pop-up advertisements; and the browser hijackers: Richfind and Softomate, which redirect search attempts to different sites.

Supported On:

References:

HTTP:STC:DL:PPT-UNK-ANI - HTTP: Microsoft Powerpoint Unknown Animation Node Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft PowerPoint. A successful attack can result in arbitrary code execution on the user's computer.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 44628
cve: CVE-2010-2573

Affected Products:

Microsoft powerpoint_2002 SP2
Microsoft powerpoint_2003 SP1
Microsoft powerpoint_viewer SP2
Microsoft powerpoint_2004_for_mac
Microsoft powerpoint_2003
Microsoft powerpoint_2002 SP3
Microsoft office_2004_for_mac
Microsoft powerpoint_2002
Microsoft powerpoint_2002 SP1
Microsoft office_2003 SP3
Microsoft powerpoint_2003 SP2
Microsoft powerpoint_2003 SP3
Microsoft office_xp SP3

HTTP:PHP:BITRIX-SITE-MGR-CS - HTTP: Bitrix Site Manager Content Spoofing

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known flaw in Bitrix Site Manager. When an application does not properly handle user supplied data, an attacker can supply content to a web application that could then be reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

Supported On:

References:

url: http://www.bitrixsoft.com/products/cms/

SPYWARE:BH:ADTRAFFIC - SPYWARE: Adtraffic

Severity: LOW

Description:

This signature detects the runtime behavior of spyware Adtraffic. Adtraffic is an error hijacker that resets a user's Internet Explorer settings to display a new error page when a requested URL is not found. When a domain name or 404 error is encountered, it redirects to a page specified by its controlling servers. (For example, www.easilyfound.com)

Supported On:

References:

HTTP:SQL:INJ:AGENT-ADMIN - HTTP: Immobilier CGI SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a SQL injection vulnerability in the Immobilier program. Immobilier 1.0 and earlier versions are vulnerable. Attackers can submit a maliciously crafted URL to the Web server to view and/or modify the database.

Supported On:

References:

Affected Products:

Phpsecure.org immobilier 1.0

HTTP:CYCLADES:CONSOLE-CON - HTTP: Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection

Severity: MEDIUM

Description:

This signature detects an attempt to bypass access restrictions on the Cyclades AlterPath Manager (APM) by supplying a direct URL to a console.

Supported On:

References:

url: http://www.cirt.net/advisories/alterpath_console.shtml
cve: CVE-2005-0541

HTTP:CYCLADES:SAVEUSER-PRIV - HTTP: Cyclades AlterPath Manager saveUser.do Privilege Escalation

Severity: MEDIUM

Description:

This signature detects an attempt by an authorized user of Cyclades AlterPath Manager to escalate their privilege level to Administrator by modifying the variable contents on a call to saveUser.do.

Supported On:

References:

url: http://www.cirt.net/advisories/alterpath_privesc.shtml
cve: CVE-2005-0542

HTTP:PHP:SITEMAN-USER - HTTP: Siteman User Database Privilege Escalation

Severity: MEDIUM

Description:

This signature detects an attempt to exploit a privilege escalation vulnerability in the "users.php" script, which is shipped as part of Siteman 1.1.x. An authorized user, can gain elevated privileges by supplying a malformed HTTP POST request to this script.

Supported On:

References:

url: http://www.securityfocus.com/archive/1/387855
url: http://www.securiteam.com/unixfocus/5XP0C2KEKY.html
bugtraq: 12304
url: http://sitem.sourceforge.net/

Affected Products:

Siteman siteman 1.1.10
Siteman siteman 1.1.9

HTTP:PKG:WEBMIN-BRUTE - HTTP: Webmin Administrator Password Brute Force

Severity: MEDIUM

Description:

This signature detects an attempt to brute-force a Webmin server into disclosing the Administrator's password.

Supported On:

References:

url: http://www.securityfocus.com/bid/10523
bugtraq: 10474
url: http://www.webmin.com/changes-1.150.html
url: http://marc.theaimsgroup.com/?l=bugtraq&m=108737059313829&w=2
cve: CVE-2004-0583

Affected Products:

Webmin webmin 0.8.5 Red Hat
Debian linux 3.0.0 Alpha
Debian linux 3.0.0 Arm
Debian linux 3.0.0 Ia-32
Debian linux 3.0.0 Ia-64
Debian linux 3.0.0 Hppa
Debian linux 3.0.0 M68k
Debian linux 3.0.0 Mips
Debian linux 3.0.0 Mipsel
Debian linux 3.0.0 Ppc
Debian linux 3.0.0 S/390
Debian linux 3.0.0 Sparc
Webmin webmin 1.0.0 60
Webmin webmin 1.0.0 70
Webmin webmin 1.0.0 50
Webmin webmin 0.76.0
Webmin webmin 0.77.0
Webmin webmin 0.7.0
Webmin webmin 0.78.0
Webmin webmin 0.80.0
Webmin webmin 0.79.0
Webmin webmin 0.6.0
Webmin webmin 0.5.0 x
Webmin webmin 0.960.0
Webmin webmin 0.94.0
Webmin webmin 0.950.0
Webmin webmin 0.970.0
Webmin webmin 0.8.3
Webmin webmin 0.8.4
Webmin webmin 0.88.0
Webmin webmin 0.89.0
Webmin webmin 1.140.0
Debian linux 3.0.0
Webmin webmin 0.92.0 -1
Webmin webmin 0.93.0
Webmin webmin 1.0.0 20
Webmin webmin 1.0.0 80
Webmin webmin 1.130.0
Webmin webmin 0.980.0
Webmin webmin 1.121.0
Webmin webmin 1.0.0 00
Webmin webmin 0.92.0
Webmin webmin 0.990.0
Webmin webmin 1.0.0 90
Webmin webmin 0.51.0
Webmin webmin 0.5.0
Webmin webmin 0.42.0
Webmin webmin 0.41.0
Webmin webmin 0.4.0
Webmin webmin 0.31.0
Webmin webmin 0.91.0
Webmin webmin 0.22.0
Webmin webmin 0.21.0
Webmin webmin 0.2.0
Webmin webmin 0.1.0
Webmin webmin 0.85.0
Webmin webmin 0.3.0
Webmin webmin 1.110.0
Conectiva linux 10.0.0

HTTP:PHP:PHORUM:REMOTE-EXEC - HTTP: Phorum Remote PHP File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the PHP Phorum bulletin board system. A successful attack can allow attackers to remotely execute arbitrary commands with HTTP server privileges.

Supported On:

References:

bugtraq: 4763
cve: CVE-2002-0764

Affected Products:

Phorum phorum 3.3.2 a

HTTP:PHP:PHORUM:RESPONSE-SPLIT - HTTP: Phorum HTTP Response Splitting

Severity: LOW

Description:

This signature detects attempts to exploit a known vulnerability in Phorum. Versions 5.0.14 and earlier are vulnerable. Attackers can send a maliciously crafted URL designed to exploit an input validation. A successful attack can allow the client to alter the way data is represented from the server.

Supported On:

References:

url: http://www.security.nnov.ru/Idocument128.html
bugtraq: 12869
url: http://www.securityfocus.com/archive/1/393953
cve: CVE-2005-0843

Affected Products:

Phorum phorum 3.4.4
Phorum phorum 3.3.2
Phorum phorum 3.3.2 a
Phorum phorum 3.3.1 a
Phorum phorum 3.3.1
Phorum phorum 3.1.0
Phorum phorum 3.2.8
Phorum phorum 5.0.14
Phorum phorum 3.3.2 b3
Phorum phorum 5.0.11
Phorum phorum 3.2.3 b
Phorum phorum 3.1.1
Phorum phorum 3.1.2
Phorum phorum 3.2.0
Phorum phorum 3.2.2
Phorum phorum 3.2.3
Phorum phorum 3.2.3 a
Phorum phorum 3.4.0
Phorum phorum 3.2.4
Phorum phorum 3.2.5
Phorum phorum 3.2.6
Phorum phorum 3.2.7
Phorum phorum 3.1.1 a
Phorum phorum 3.1.1 pre
Phorum phorum 3.1.1 rc2
Phorum phorum 3.4.2
Phorum phorum 5.0.3 BETA
Phorum phorum 3.4.8
Phorum phorum 3.4.8 a
Phorum phorum 5.0.13
Phorum phorum 5.0.12
Phorum phorum 5.0.10
Phorum phorum 5.0.9
Phorum phorum 5.0.7 BETA
Phorum phorum 3.4.1
Phorum phorum 3.4.3
Phorum phorum 3.4.7
Phorum phorum 3.4.5
Phorum phorum 3.4.6

HTTP:PHP:PHP-NEWS-FILE-INC - HTTP: PHP News File Inclusion

Severity: MEDIUM

Description:

This signature detects an attemps to include remote file in a PHP News server. Succesfull exploitation of this vulnerability could lead to arbitrary code execution within the context of the Web Server.

Supported On:

References:

bugtraq: 12696
url: http://securitytracker.com/id?1013345
url: http://www.securityfocus.com/bid/12696
cve: CVE-2005-0632

Affected Products:

Phpnews phpnews 1.2.3
Phpnews phpnews 1.2.4

HTTP:STC:DL:MS-DIRECTSHOW-RCE - HTTP: Microsoft Windows DirectShow JPEG Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows DirectShow. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Microsoft windows_server_2012 r2
Microsoft windows_xp -
Microsoft windows_7
Microsoft windows_server_2012 -
Microsoft windows_vista
Microsoft windows_server_2008 r2
Microsoft windows_8.1 -
Microsoft windows_8 -
Microsoft windows_xp
Microsoft windows_server_2003
Microsoft windows_server_2008

SSL:AUDIT:DHEEXP-512CPHR-LOGJAM - SSL: OpenSSL Logjam 512-Bit DHE_EXPORT Cipher Suite

Severity: INFO

Description:

This signature detects a SSL-SERVER-HELLO response with 'DHE_EXPORT' RSA cipher suites. Most 'modern' clients (e.g., web browsers) won't offer export grade cipher suites as part of the negotiation process as they are considered as weak encryption.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1

References:

SPYWARE:AD:GROOWESEARCHBAR - SPYWARE: Groowe Search Bar

Severity: LOW

Description:

This signature detects the runtime behavior of Groowe Search Bar. Groowe Search Bar generates advertisements and uses tracking cookies; for example, "atdmt," "tribalfusion," "casalemedia," to track a user's surfing history and gather information.

Supported On:

References:

SPYWARE:BP:MACHERSTOOLBAR - SPYWARE: Machers Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of Machers toolbar. Machers toolbar is a browser plug-in that resets the Internet Explorer settings. It tracks a user's Web activity and passes this information to its controlling server.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=2183

SPYWARE:BH:VIPNETLINK - SPYWARE: VIP NetLink

Severity: LOW

Description:

This signature detects the runtime behavior of VIP NetLink. VIP NetLink is a browser hijacker that resets the Internet Explorer's home page to point to another site. VIP NetLink can pass a user's data and address requests to it's controlling server to gather information.

Supported On:

References:

SPYWARE:BH:QMTOOLBAR - SPYWARE: QM Toolbar

Severity: LOW

Description:

This signature detects the runtime behavior of QM Toolbar. QM Toolbar is a browser hijacker that resets the Interent Explorer settings. It tracks a user's Web activity to gather information. It also installs other spywares such as the IEHijacker.richfind on a user's computer without authorization or user intervention.

Supported On:

References:

SPYWARE:TROJAN:DLOADERAGENT-TL - SPYWARE: Trojan-Downloader-Agent-TL

Severity: HIGH

Description:

This signature detects the runtime behavior of Trojan.Downloader.Agent.TL. Trojan.Downloader.Agent.TL drops and executes Trojans on a user's computer. When executed, it attempts to connect to its controlling server 213.21.215.* to download and install malicious code. It can also send some information back to its controlling server without the user's consent. A successful attack can cause a denial of service (DoS) or execution of remote arbitrary code.

Supported On:

References:

url: http://www.avira.com/en/threats/TR_Drop_Cimuz_AH_2_details.html

HTTP:STC:DL:WORD-REC-LEN-OF - HTTP: Microsoft Word Record Parsing Length Field Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Word documents. Attackers can execute arbitrary code within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, j-series-9.5, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.0.0, isg-3.5.141818, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 35188
url: http://www.zerodayinitiative.com/advisories/ZDI-09-035
cve: CVE-2009-0563

Affected Products:

Microsoft word_viewer_2003 SP3
Microsoft office_compatibility_pack_2007 SP2
Microsoft open_xml_file_format_converter_for_mac
Microsoft office_compatibility_pack_2007 SP1
Microsoft word_viewer
Microsoft word_2002 SP3
Microsoft office_2008_for_mac
Microsoft office_2004_for_mac
Microsoft word_2007 SP2
Microsoft word_2007 SP1
Microsoft word_2003 SP3

SPYWARE:BH:ABCSEARCH - SPYWARE: abcSearch

Severity: LOW

Description:

This signature detects the runtime behavior of abcSearch; abcSearch is an Internet Explorer hijacker that is usually installed by ActiveX drive-by downloads. It redirects user requests to other web sites and also generates untargeted pop-up advertisements periodically.

Supported On:

References:

SPYWARE:AD:ZTOOLBAR - SPYWARE: ZToolbar

Severity: LOW

Description:

This signature detects the runtime behavior of ZToolbar. ZToolbar is an adware application that generates pop-up advertisements. It also monitors the content of the Internet Explorer window and can open partner site Web pages when certain keywords are detected.

Supported On:

References:

url: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094146

SPYWARE:AD:HOTOFFERS - SPYWARE: HotOffers

Severity: LOW

Description:

This signature detects the runtime behavior of HotOffers. HotOffers is an adware and CoolWebSearch browser hijacker that alters the start page for Internet Explorer; setting it to point to www.hotoffers.com or www.hotoffers.info. HotOffers opens pop-up advertisements on the host system.

Supported On:

References:

FTP:OVERFLOW:ASCII-WRITE - FTP: ProFTP ASCII Off By Two Overflow

Severity: HIGH

Description:

This signature detects an attempt to exploit an off-by-two vulnerability in ProFTP. This vulnerability can lead to arbitrary remote code execution within the context of the ftp server. Exploits are publicly available.

Supported On:

References:

bugtraq: 9782
cve: CVE-2004-0346

Affected Products:

Red_hat linux 6.2.0 E I386
Red_hat linux 6.2.0 E Sparc
Red_hat linux 6.2.0 E Alpha
Debian linux 2.2.0 alpha
Debian linux 2.2.0 Powerpc
Red_hat linux 8.0.0 I686
Red_hat linux 7.1.0 k i386
Debian linux 2.2.0 IA-32
Red_hat linux 7.1.0
Red_hat linux 7.1.0 alphaev6
Red_hat linux 6.2.0 sparcv9
Red_hat linux 6.2.0 I386
Debian linux 2.2.0 arm
Red_hat linux 7.3.0 I386
Red_hat linux 7.1.0 iseries
Red_hat linux 9.0.0 I386
Turbolinux appliance_server_workgroup_edition 1.0.0
Proftpd_project proftpd 1.2.9 Rc2
Red_hat linux 6.2.0 Sparc
Red_hat linux 8.0.0
Red_hat linux 8.0.0 I386
Red_hat linux 7.1.0 pseries
Red_hat linux 6.2.0 Alpha
Red_hat linux 7.1.0 I386
Proftpd_project proftpd 1.2.8
Proftpd_project proftpd 1.2.9 Rc1
Red_hat linux 7.1.0 Ia64
Red_hat linux 7.1.0 noarch
Red_hat linux 7.1.0 i586
Red_hat linux 7.1.0 i686
Red_hat linux 7.2.0 noarch
Proftpd_project proftpd 1.2.7
Red_hat linux 7.2.0 Ia64
Red_hat linux 7.2.0 alpha
Debian linux 2.2.0 68k
Red_hat linux 7.2.0 i686
Red_hat linux 7.2.0 athlon
Red_hat linux 7.2.0
Red_hat linux 6.2.0
Debian linux 2.2.0
Turbolinux turbolinux_server 8.0.0
Turbolinux turbolinux_server 7.0.0
Turbolinux turbolinux_workstation 8.0.0
Turbolinux turbolinux_workstation 7.0.0
Red_hat linux 7.3.0
Red_hat linux 7.2.0 i586
Red_hat linux 7.1.0 Alpha
Red_hat linux 7.2.0 I386
Red_hat linux 7.3.0 I686
Turbolinux appliance_server 1.0.0 Workgroup Edition

SMB:OF:RPC-PNP-OF - SMB: Microsoft Windows Plug and Play Registry Key Access Buffer Overflow

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft's Plug and Play protocol. A successful exploit can allow remote code execution and local privilege elevation, leading to an attacker achieving complete control of the affected system.

Supported On:

References:

bugtraq: 14513
cve: CVE-2005-2120
bugtraq: 15065

Affected Products:

Microsoft windows_xp (sp2)
Microsoft windows_xp (sp2:tablet_pc)
Microsoft windows_xp (sp1)
Microsoft windows_2000 (sp4:)
Microsoft windows_xp (sp1:tablet_pc)
Microsoft windows_2000 (sp4::fr)
Microsoft windows_2000 (sp4)

HTTP:APACHE:STRUTS-URIREDIRECT - HTTP: Apache Struts 2 Multiple URI Parameters Arbitrary Redirection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Apache Struts 2. It is due to insufficient validation of user-supplied input. A successful attack could allow the attacker to redirect victims to malicious sites hosting exploits that may aid in further exploitation.

Supported On:

References:

bugtraq: 61196
cve: CVE-2013-2248

Affected Products:

Apache struts 2.3.14.1
Apache struts 2.0.3
Apache struts 2.3.7
Apache struts 2.3.14.2
Apache struts 2.0.11.1
Apache struts 2.0.2
Apache struts 2.3.4
Apache struts 2.0.11
Apache struts 2.3.14.3
Apache struts 2.3.1.1
Apache struts 2.1.0
Apache struts 2.0.10
Apache struts 2.3.4.1
Apache struts 2.3.12
Apache struts 2.1.1
Apache struts 2.0.13
Apache struts 2.1.2
Apache struts 2.0.12
Apache struts 2.3.14
Apache struts 2.1.3
Apache struts 2.3.8
Apache struts 2.3.15
Apache struts 2.1.4
Apache struts 2.2.3.1
Apache struts 2.1.5
Apache struts 2.3.1.2
Apache struts 2.1.6
Apache struts 2.0.9
Apache struts 2.0.8
Apache struts 2.0.4
Apache struts 2.1.8
Apache struts 2.1.8.1
Apache struts 2.2.1.1
Apache struts 2.0.5
Apache struts 2.0.11.2
Apache struts 2.2.3
Apache struts 2.0.7
Apache struts 2.3.3
Apache struts 2.0.6
Apache struts 2.2.1
Apache struts 2.0.1
Apache struts 2.3.1
Apache struts 2.0.14
Apache struts 2.0.0

HTTP:STC:DL:OFFICE-MAL-PUB - HTTP: Malformed Microsoft Office Publisher File

Severity: HIGH

Description:

This signature detects malformed Microsoft Office Publisher Files. Microsoft Office Publisher is vulnerable to several file format exploits. A successful exploit can result in arbitrary remote code execution with the privileges of the targeted user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

url: http://www.microsoft.com/technet/security/advisory/2292970
cve: CVE-2010-2569
cve: CVE-2010-2571
bugtraq: 45282
bugtraq: 45281
cve: CVE-2010-3954
cve: CVE-2010-3955
cve: CVE-2010-2570

Affected Products:

Microsoft publisher_2003
Microsoft publisher_2002
Microsoft publisher_2003 SP3
Microsoft publisher_2002 SP3
Microsoft publisher_2010_(32_bit)
Microsoft publisher_2010_(64_bit)
Microsoft publisher_2010
Microsoft publisher_2003 SP2

SPYWARE:BH:CWSSTARTPAGE-2 - SPYWARE: CoolWebSearch-StartPage (2)

Severity: MEDIUM

Description:

This signature detects the runtime behavior of CoolWebSearch.StartPage variant. CoolWebSearch.StartPage is one of the CoolWebSearch browser hijackers. It has many variants. This CoolWebSearch.StartPage variant alters the start page for Internet Explorer, setting it to point to http://balabolka.biz/start.html, which is a meta search engine.

Supported On:

References:

SPYWARE:TROJAN:ABWIZ-C - SPYWARE: Abwiz-C

Severity: HIGH

Description:

This signature detects the runtime behavior of Abwiz.C. Abwiz.C is a Trojan program. It downloads code or self-updates from its controlling server and executes the code on a user's computer. Abwiz.C also sends information about the compromised computer to some IP addresses through HTTP.

Supported On:

References:

HTTP:DIR:BARRACUDA-DIRTRAV - HTTP: Barracuda Spam Firewall Directory Traversal

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Barracuda Spam Firewall versions 3.1.17 and below. An unprivileged attacker can use a directory traversal attack against a vulnerable CGI script to verify file existence, access file contents, and delete files on a Barracuda Spam Firewall system. Patches are available.

Supported On:

References:

url: http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
bugtraq: 14710
url: http://securitytracker.com/alerts/2005/Sep/1014837.html
cve: CVE-2005-2848
bugtraq: 14712
cve: CVE-2005-2847
url: http://www.nessus.org/plugins/index.php?view=single&id=19556

Affected Products:

Barracuda_networks barracuda_spam_firewall 3.1.17 firmware

HTTP:STC:IMG:OFFICE-MAL-TIF - HTTP: Microsoft Office Malicious TIF File (2)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2010-3949
bugtraq: 45275

Affected Products:

Microsoft office_xp SP3
Microsoft office_xp SP1
Microsoft office_converter_pack
Microsoft office_xp SP2
Microsoft office_xp

HTTP:STC:IMG:OFFICE-MAL-TIFF3 - HTTP: Microsoft Office Malicious TIFF Image (3)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 45285
cve: CVE-2010-3950

Affected Products:

Microsoft office_xp
Microsoft office_xp SP3
Microsoft office_xp SP2
Microsoft office_xp SP1
Microsoft office_converter_pack
Microsoft works 9.0

TROJAN:HTTP-ZEROACCESS-BOTNET - Trojan: HTTP ZeroAccess BotNet P2P Activity

Severity: HIGH

Description:

This signature detects peer-to-peer (P2P) connections between systems infected with the ZeroAccess Botnet. Both source and destination systems are compromised and should be removed from the network for analysis.

Supported On:

HTTP:STC:IMG:OFFICE-FLASHPIX2 - HTTP: Microsoft Office Malicious FlashPix Image (2)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against the Microsoft Office FlashPix Graphics filter. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 45278
cve: CVE-2010-3951

Affected Products:

Microsoft office_xp SP3
Microsoft office_xp SP1
Microsoft office_converter_pack
Microsoft office_xp SP2
Microsoft office_xp

HTTP:CGI:PERL:WEBHINT-CMD-INJ - HTTP: WebHints Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against WebHints packages. Attackers can craft a malicious command injection that can lead to arbitrary code execution within the context of the Web server.

Supported On:

References:

bugtraq: 13930
url: http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html
url: http://www.securityfocus.com/archive/1/401940
cve: CVE-2005-1950

Affected Products:

Colored_scripts easy_message_board
Darryl_burgdorf webhints 1.3.0

HTTP:CGI:INCLUDER-EXEC - HTTP: Includer.cgi Remote Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in The Includer. Attackers can send a maliciously crafted HTTP request that could cause arbitrary commands to be executed on the affected server, with permissions of the Web service.

Supported On:

References:

url: http://www.securityfocus.com/archive/1/392454
url: http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html
bugtraq: 12738
url: http://marc.info/?l=bugtraq&m=111445548126797&w=2
cve: CVE-2005-0689

Affected Products:

Jimmy_<wordx@hotmail.com> the_includer 1.0.0
Jimmy_<wordx@hotmail.com> the_includer 1.1.0

MS-RPC:OF:SPOOLSS-1 - MS-RPC: SPOOLSS Buffer Overflow (1)

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows SPOOLSS service. Because of improper bounds checking in the Print Spooler service, an attacker can trigger a buffer overflow in the affected system. This action can lead to arbitrary code execution at System level privileges.

Supported On:

References:

url: http://www.microsoft.com/technet/Security/bulletin/ms05-043.mspx
url: http://oval.mitre.org/oval/definitions/data/oval100077.html
url: http://www.us-cert.gov/cas/techalerts/TA05-221A.html
bugtraq: 14514
cve: CVE-2005-1984

Affected Products:

Microsoft windows_xp (sp2)
Microsoft windows_xp (sp2:tablet_pc)
Microsoft windows_2003_server r2
Microsoft windows_xp (sp1)
Microsoft windows_2000 (sp4:)
Microsoft windows_xp (sp1:tablet_pc)
Microsoft windows_2000 (sp4::fr)
Microsoft windows_2000 (sp4)

HTTP:PHP:PHPBB:SEARCH-DOS - HTTP: phpBB Search Flood DoS

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the phpBB forum software. A flood of search requests can consume a large amount of system resources on a phpBB server. A malicious attacker can send a continued stream of malformed requests to keep the server from answering valid requests, resulting in a denial of service (DoS) condition.

Supported On:

References:

url: http://www.phpbb.com

HTTP:PHP:PHPBB:PROFILE-ADD-DOS - HTTP: phpBB Profile Add DoS

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against phpBB forum software. A flood of add user requests can consume a large amount of system resources on a phpBB server. A malicious attacker can send a continued stream of malformed requests to keep the server from answering valid requests, resulting in a denial of service (DoS) condition.

Supported On:

References:

url: http://www.phpbb.com

HTTP:PHP:PHPNUKE:QR-SQL-INJECT - HTTP: PHP-Nuke Modules.php QUERY Parameter SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against PHPNuke. PHPNuke versions 7.2 and earlier are vulnerable. Attackers, creating a SQL injection attack, can include a maliciously crafted QUERY parameter in a query to modules.php, causing the php script to run arbitrary SQL commands.

Supported On:

References:

bugtraq: 10282
url: http://www.zone.ee/waraxe/?modname=sa&id=027

Affected Products:

Francisco_burzi php-nuke 6.5.0 RC2
Francisco_burzi php-nuke 6.6.0
Francisco_burzi php-nuke 6.5.0 FINAL
Francisco_burzi php-nuke 7.0.0 FINAL
Francisco_burzi php-nuke 7.2.0
Francisco_burzi php-nuke 6.5.0 BETA 1
Francisco_burzi php-nuke 6.9.0
Francisco_burzi php-nuke 6.5.0 RC1
Francisco_burzi php-nuke 6.5.0 RC3
Francisco_burzi php-nuke 6.5.0
Francisco_burzi php-nuke 6.0.0
Francisco_burzi php-nuke 7.1.0
Francisco_burzi php-nuke 6.7.0
Francisco_burzi php-nuke 7.0.0

SPYWARE:BP:NEWNET - SPYWARE: New Net

Severity: MEDIUM

Description:

This signature detects the runtime behavior of hijacker and adware New.Net. New.Net redirects search engine to www.quickbrowsersearch.com. It also generates popup ads at the runtime. It tracks user web activity and sends the log to the controllings server.

Supported On:

References:

SPYWARE:KL:LTTLOGGER - SPYWARE: Lttlogger

Severity: HIGH

Description:

This signature detects the runtime behavior of keylogger Lttlogger v2.0. Lttlogger logs the activity of the victim and uploads the log files to a specified FTP server.

Supported On:

References:

HTTP:VEGADNS-AXFRGET-CMDI - HTTP: VegaDNS axfr_get.php Command Injection

Severity: HIGH

Description:

A command injection vulnerability has been reported in the axfr_get.php script of VegaDNS. Successful exploitation allows the attacker to execute arbitrary commands under the security context of the web server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://vegadns.org/0.13/

APP:SYMC:LIVE-UPDATE-SEC-BYPASS - APP: Symantec LiveUpdate Administrator Security Bypass

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Symantec LiveUpdate. An unauthenticated attacker could exploit this vulnerability by sending a malicious request providing a LiveUpdate Administrator email, and a new password. Successful exploitation could lead to security policy bypass and access to sensitive information.

Supported On:

References:

cve: CVE-2014-1644

Affected Products:

Symantec liveupdate_administrator 2.2.1
Symantec liveupdate_administrator 2.3.0
Symantec liveupdate_administrator 2.1.0
Symantec liveupdate_administrator 2.3.1
Symantec liveupdate_administrator 2.2.2.9
Symantec liveupdate_administrator 2.1.2
Symantec liveupdate_administrator 2.3.2
Symantec liveupdate_administrator 2.2.2
Symantec liveupdate_administrator 2.1.3

WORM:COMMWARRIORB - WORM: Commwarrior.b!sis

Severity: MEDIUM

Description:

This signature detects transmission of the Commwarrior.b!sys through an MMS gateway. The worm infects Nokia series 60 mobile phones, which in turn propagate the worm through the public Internet. The worm code is based from the Commwarrior.A Trojan.

Supported On:

References:

SPYWARE:AD:SUPERFASTMP3SEARCH - SPYWARE: Super Fast MP3 Search

Severity: LOW

Description:

This signature detects the runtime behavior of Super Fast MP3 Search. This spyware enables users to search and download music files without a P2P network. It also changes the Internet Explorer home page setting and downloads and installs other spyware, such as eZula.

Supported On:

References:

SPYWARE:BH:NEED2FIND - SPYWARE: Need2Find

Severity: LOW

Description:

This signature detects the runtime behavior of Need2Find. Need2Find is a IE Brower Help Object (BHO). It adds a search bar in IE and displays sponsored links in its search result.

Supported On:

References:

HTTP:CGI:RSA-AGENT-BOF - HTTP: RSA Agent Redirect Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against RSA Authentication Agent for Web Redirect. Attackers can send malicious data that can cause a buffer overflow leading to arbitrary remote code execution within the context of the Agent service.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 13524
cve: CVE-2005-1471

Affected Products:

Rsa_security rsa_authentication_agent_for_web 5.2.0
Rsa_security rsa_authentication_agent_for_web 5.3.0
Rsa_security rsa_authentication_agent_for_web 5.0.0

SPYWARE:AD:BLUBSTER-2X - SPYWARE: Blubster 2.0 and 2.5

Severity: MEDIUM

Description:

This signature detects the runtime behavior of Blubster v2.0 and v2.5. Blubsteris allows unauthorized access of file system. It also displays ads in its application frame.

Supported On:

References:

HTTP:STC:DL:MAL-MIC-BICLRUSED - HTTP: Windows Graphics Rendering Engine MIC File Malformed biClrUsed Parameter

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft's Graphics Rendering Engine. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_xp_professional
Microsoft windows_2000_professional SP3
Microsoft windows_vista SP1
Microsoft windows_xp_64-bit_edition SP1
Microsoft windows_vista Home Premium SP2
Microsoft windows_vista SP2
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_vista Ultimate SP2
Avaya communication_server_1000_telephony_manager 3.0
Avaya communication_server_1000_telephony_manager 4.0
Avaya messaging_application_server 5.2
Avaya aura_conferencing 6.0.0 Standard
Microsoft windows_server_2008_for_32-bit_systems SP2
Microsoft windows_2000_professional
Microsoft windows_server_2008_for_itanium-based_systems SP2
Microsoft windows_server_2008_for_x64-based_systems SP2
Microsoft windows_2000_professional SP1
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_2000_professional SP4
Microsoft windows_server_2003_x64 SP2
Microsoft windows_xp_media_center_edition
Microsoft windows_vista Ultimate
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Microsoft windows_xp_64-bit_edition
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_xp_professional_x64_edition
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003_x64 SP1
Microsoft windows_2000_professional SP2
Avaya callpilot 4.0
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Avaya callpilot 5.0
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_server_2008_for_itanium-based_systems
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp

SPYWARE:TROJAN:DOWNLOADER.AB - SPYWARE: Generic Downloader.ab

Severity: MEDIUM

Description:

This signature detects the runtime behavior of Generic Downloader.ab. Generic Downloader.ab retrieves and executes malicious code from its controlling server.

Supported On:

References:

url: http://vil.mcafeesecurity.com/vil/content/v_132901.htm

SPYWARE:TROJAN:SPAM-MAXY - SPYWARE: Spam-Maxy

Severity: LOW

Description:

This signature detects the runtime behavior of Spam-Maxy. Spam-Maxy has its own SMTP engine. It downloads e-mail addresses from its controlling server and sends out the e-mails to these addresses. It slows down the infected machine by increasing network traffic and CPU utilization.

Supported On:

References:

SPYWARE:BH:COOLSEARCH - SPYWARE: Coolsearch

Severity: MEDIUM

Description:

This signature detects the runtime behavior of hijacker cool search. Cool search is installed as an IE Browser Helper Object (BHO). It changes IE setting and loads ads from its controlling server.

Supported On:

References:

HTTP:STC:DL:OUTLOOK-CE - HTTP: Microsoft Outlook SMB ATTACH_BY_REFERENCE Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in Microsoft Office Outlook Email client application. The vulnerability is due to a design error while Outlook parses specially crafted email attachments. Remote attackers can exploit this vulnerability by sending a crafted email attachment using the ATTACH_BY_REFERENCE method. Successful exploitation of this vulnerability would result in arbitrary code execution with the privileges of the logged on user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 41446
cve: CVE-2010-0266

Affected Products:

Microsoft outlook_2007_sp1
Microsoft outlook_2002 SP3
Microsoft outlook_2002
Microsoft outlook_2007_sp2
Microsoft outlook_2003
Microsoft outlook_2002 SP1
Microsoft outlook_2007
Microsoft outlook_2002 SP2
Microsoft outlook_2003 SP3
Microsoft outlook_2003 SP2

HTTP:STC:DL:PPT-SCRIPT - HTTP: Powerpoint Containing Script Elements

Severity: MEDIUM

Description:

This signature detects the download of a Microsoft PowerPoint document containing Script tags. This type of document can access sensitive files on the client host.

Supported On:

References:

bugtraq: 16634
cve: CVE-2006-0004
url: http://www.kb.cert.org/vuls/id/963628

Affected Products:

Microsoft powerpoint_2000 SP3

HTTP:DIR:CA-ERWIN-WEB-PORTAL - HTTP: CA ERwin Web Portal Directory Traversal

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in CA ERwin Web Portal. This vulnerability is due to lack of authentication and insufficient input validation when processing HTTP requests. By sending crafted HTTP requests to the target system, a remote unauthenticated attacker can leverage this vulnerability to delete arbitrary files recursively on a target system.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 66644
cve: CVE-2014-2210

Affected Products:

Ca erwin_web_portal 9.5

HTTP:STC:DL:CGM-IMG-BOF - HTTP: Microsoft Office CGM Image Converter Buffer Overflow (1)

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Office. It is due to the way Office allocates a buffer size when handling CGM image files. An attacker can leverage this by enticing a target user to open a malicious file. A successful attack can allow an attacker to execute arbitrary code in the security context of the logged in user. An unsuccessful attack can cause an abnormal termination of the affected product.

Supported On:

References:

bugtraq: 45270
cve: CVE-2010-3945
cve: CVE-2012-2524

Affected Products:

Microsoft office_2003 SP3
Microsoft office_xp
Microsoft office_xp SP3
Microsoft office_2003 SP1
Microsoft office_xp SP1
Microsoft office_2003 SP2
Microsoft office_converter_pack
Microsoft office_xp SP2
Microsoft office_2003

MS-RPC:OF:SRV-SVC-1 - MS-RPC: Microsoft Server Service Overflow (1)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Windows Server service (srvsvc). A remote attacker can send a maliciously crafted RPC requests to the problematic service; thus leading to a denial-of-service condition.

Supported On:

idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 15460
cve: CVE-2005-3644
bugtraq: 23973
bugtraq: 24195
bugtraq: 25232
bugtraq: 24198
cve: CVE-2007-2446

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_2000_professional
Microsoft windows_2000_server SP1
Microsoft windows_2000_advanced_server
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_2000_server
Microsoft windows_xp_home SP1
Microsoft windows_2000_professional SP1
Microsoft windows_xp_professional SP1
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_2000_server SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp_media_center_edition SP1

HTTP:HPE-INSECURE-DESERIAL - HTTP: HPE Operations Orchestration Insecure Deserialization

Severity: HIGH

Description:

An insecure deserialization vulnerability has been reported in HPE Operations Orchestration. The vulnerability is due to the deserialization of untrusted data in several servlets used for backwards compatibility with older API versions. A remote, unauthenticated attacker can exploit this vulnerability by sending crafted serialized data to the target application. Successful exploitation could result in arbitrary code execution in the context of the application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2016-8519

POP3:APPLE-ICAL-PARAM-BO - POP3: Apple iCal Trigger and Count Parameters Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Apple iCal version 3.0.1 on Mac OS X. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected application.

Supported On:

References:

bugtraq: 28632
bugtraq: 28629
cve: CVE-2008-2006

Affected Products:

Apple ical 3.0.1

HTTP:STC:OUTLOOK:WAB-BOF - HTTP: Outlook Express Address Book Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Outlook Express when processing contacts in Windows Address Book (.WAB) file. Attackers sending a maliciously crafted .WAB file can persuade a user to execute this file, causing a buffer overflow; thus allowing arbitrary code execution in the logged-on user's contexts.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2006-0014
url: http://www.microsoft.com/technet/security/bulletin/MS06-016.mspx
bugtraq: 17459

Affected Products:

Microsoft outlook_express 6.0
Microsoft outlook_express 6.0 SP1
Microsoft outlook_express 5.5
Microsoft outlook_express 5.5 SP2
Microsoft outlook_express 5.5 SP1

HTTP:STC:DL:WMP-DVR-MS - HTTP: Microsoft Windows Media Player DVR-MS File Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows Media Player. A successful attack can lead to arbitrary code execution.

Supported On:

References:

cve: CVE-2011-0042
bugtraq: 46680

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_7_for_32-bit_systems
Microsoft windows_7_for_x64-based_systems
Microsoft windows_xp Gold Professional
Microsoft windows_7_for_x64-based_systems SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_xp_home
Microsoft windows_vista SP1
Microsoft windows_vista_enterprise_64-bit_edition SP2
Microsoft windows_vista Enterprise SP2
Microsoft windows_vista_home_basic_64-bit_edition SP2
Microsoft windows_7_home_premium
Microsoft windows_vista_home_premium_64-bit_edition SP2
Microsoft windows_7_professional
Microsoft windows_7_ultimate
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_vista Ultimate SP2
Microsoft windows_7_for_32-bit_systems SP1
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_media_center_tv_pack_for_windows_vista_32-bit_edition
Microsoft windows_media_center_tv_pack_for_windows_vista_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_xp_embedded SP2
Microsoft windows_xp_embedded_sp2_feature_pack_2007
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_xp_embedded SP3
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP2
Microsoft windows_xp Gold Media Center
Microsoft windows_xp_media_center_edition
Microsoft windows_xp - Gold Home
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_vista Enterprise
Microsoft windows_xp Gold Tablet Pc
Microsoft windows_xp_embedded
Microsoft windows_xp_service_pack_3
Microsoft windows_xp_embedded SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional_x64_edition
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Basic SP2
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_xp_professional SP3
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_vista Home Premium SP2
Microsoft windows_xp - Gold 64-Bit-2002
Microsoft windows_xp_gold
Microsoft windows_vista_home_basic_64-bit_edition Sp1 X64
Microsoft windows_vista SP2
Microsoft windows_vista_home_basic_64-bit_edition Sp2 X64
Microsoft windows_xp - Gold X64
Microsoft windows_vista Home Premium SP1
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_xp_home SP2
Microsoft windows_xp
Microsoft windows_xp Gold Embedded
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp_media_center_edition SP1

HTTP:SEARCHBLOX-AB - HTTP: SearchBlox CVE-2015-7919 Arbitrary File Overwrite

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against SearchBlox. Successful exploits may allow an attacker to overwrite arbitrary files and crash the application.

Supported On:

References:

bugtraq: 78552
cve: CVE-2015-7919
url: https://www.ixiacom.com/company/blog/ixia-ati-research-center-discovers-zero-day-searchblox-vulnerabilities

Affected Products:

Searchblox searchblox 8.3.0

HTTP:STC:CANVAS-BABYBOTTLE-GZIP - HTTP: Canvas Babybottle gzip

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability using an attack from the Canvas framework known as babybottle. A successful attack can lead to arbitrary remote code execution. This exploit is related to vulnerability MS06-014.

Supported On:

References:

url: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
bugtraq: 17462
cve: CVE-2006-0003

Affected Products:

Microsoft data_access_components_(mdac) 2.7
Microsoft data_access_components_(mdac) 2.8
Hitachi hitsenser5 01-00
Hitachi hitsenser5 01-10
Hitachi hitsenser5 02-80
Hitachi dbpartner_odbc 01-00
Hitachi dbpartner_odbc 01-11
Hitachi dbpartner_odbc 01-06
Hitachi dbpartner_odbc 01-03
Hitachi da_broker_for_odbc 01-00
Hitachi da_broker_for_odbc 01-02
Hitachi dbpartner2_client 01-05
Hitachi dbpartner2_client 01-12
Hitachi dbpartner2_client 01-00
Microsoft data_access_components_(mdac) 2.5 SP3
Microsoft data_access_components_(mdac) 2.7 SP1
Microsoft data_access_components_(mdac) 2.8 SP1
Microsoft data_access_components_(mdac) 2.8 SP2

HTTP:MISC:COGENT-SERVER-CMD-INJ - HTTP: Cogent DataHub Web Server GetPermissions.asp Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a command injection vulnerability in Cogent DataHub Web Server. A successful attack can lead to execute arbitrary commands within the security context of the server.

Supported On:

References:

cve: CVE-2014-3789

Affected Products:

Cogentdatahub cogent_datahub 7.1.1
Cogentdatahub cogent_datahub 7.3.2
Cogentdatahub cogent_datahub 7.1.2
Cogentdatahub cogent_datahub 7.3.3
Cogentdatahub cogent_datahub 7.1.0
Cogentdatahub cogent_datahub 7.3.0
Cogentdatahub cogent_datahub 7.2.2
Cogentdatahub cogent_datahub 7.0.2
Cogentdatahub cogent_datahub 7.3.4
Cogentdatahub cogent_datahub 7.0
Cogentdatahub cogent_datahub 7.3.1
Cogentdatahub cogent_datahub 7.1.1.63

HTTP:STC:DL:CVE-2015-2477-CE - HTTP: Microsoft Office Word CVE-2015-2477 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Word. A successful exploit can lead to buffer overflow and remote code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2015-2477

MS-RPC:OF:RRAS - MS-RPC: RRAS Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the MS RPC RRAS module. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the system context.

Supported On:

idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 18325
cve: CVE-2006-2370

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_xp_professional
Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_xp_home
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_professional
Microsoft windows_2000_server SP1
Microsoft windows_2000_advanced_server
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_2000_server
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_server_2003_standard_edition
Microsoft windows_2000_professional SP1
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_2000_server SP2
Microsoft windows_xp_gold
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp

HTTP:SQL:INJ:CVE-2018-9088-RCE - HTTP: Zoho ManageEngine OpManager OpManagerFailoverUtil customerName SQL Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Zoho ManageEngine OpManager. A successful attack can lead to arbitrary code execution.

Supported On:

References:

HTTP:STC:JAVA:NXT-UPDTE-RA - HTTP: Oracle Java SE OCSP nextUpdate Replay Attack

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Java. A successful exploit will have the impact on confidentiality, integrity and availability of the data.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2015-4748

Affected Products:

Oracle jdk 1.6.0
Oracle jre 1.6.0
Oracle jrockit r28.3.6
Oracle jre 1.8.0
Oracle jdk 1.8.0
Oracle jre 1.7.0
Oracle jdk 1.7.0

HTTP:PHP:BACULA-WEB-REPORT - HTTP: Bacula Web report.php Multiple Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit multiple known vulnerabilities in Bacula-web. An attacker can steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Supported On:

References:

bugtraq: 46765
url: http://bacula-web.dflc.ch/

Affected Products:

Bacula-web bacula-web 5.0.3
Bacula-web bacula-web 1.38.9_1

HTTP:MICROSOFT-CVE-2018-8582-IO - HTTP: Microsoft Outlook RWZ Integer Overflow Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Outlook. A successful attack can lead to arbitrary code execution.

Supported On:

References:

HTTP:PHP:WORDPRESS-MUL-FL-GAL - HTTP: Multiple WordPress 1 Flash Gallery Plugin Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit multiple known vulnerabilities in wordpress WP-Forum plugin. An attacker can steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Supported On:

References:

Affected Products:

1_plugin 1_flash_gallery 0.2.5

HTTP:PHP:WORDPRESS-MUL-GND-ALBM - HTTP: Multiple WordPress GRAND Flash Album Gallery Plugin Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit multiple known vulnerabilities in the WordPress Grand Flash Album plugin. An attacker can exploit these issues to obtain sensitive information or carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 46777
url: http://codeasily.com/

Affected Products:

Codeasily grand_flash_album_gallery 0.55

MS-RPC:OF:SRV-SVC-2 - MS-RPC: Microsoft Server Service Overflow (2)

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Server service RPC. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the system.

Supported On:

References:

url: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
bugtraq: 19409
cve: CVE-2006-3439

Affected Products:

Microsoft windows_xp (sp2)
Microsoft windows_xp (sp2:tablet_pc)
Microsoft windows_2003_server r2
Microsoft windows_xp (sp1)
Microsoft windows_2003_server itanium
Microsoft windows_2003_server 64-bit
Microsoft windows_2003_server sp1
Microsoft windows_2000 (sp4:)
Microsoft windows_2003_server sp1 (:itanium)
Microsoft windows_xp (sp1:tablet_pc)
Microsoft windows_2000 (sp4::fr)
Microsoft windows_xp (:64-bit)
Microsoft windows_2000 (sp4)

HTTP:PHP:CONSTRUCTR-CMS-MUL - HTTP: Constructr CMS Multiple Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit multiple known vulnerabilities in Constructr CMS. An attacker can steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Supported On:

References:

bugtraq: 46842
url: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5001.php
url: http://constructr-cms.org/

Affected Products:

Constructr_cms constructr_cms 3.03.3

HTTP:STC:CVE-2018-8628-RCE - HTTP: Microsoft Powerpoint CVE-2018-8628 Remote Code Execution

Severity: HIGH

Description:

This signature detects an attempt to exploit an use after free vulnerability in Microsoft Powerpoint. Successful exploitation could lead to remote code execution.

Supported On:

idp-5.1.110161014, mx-11.4, idp-4.1.0, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, vsrx-12.1, j-series-9.5, vsrx-15.1

References:

bugtraq: 106104
cve: CVE-2018-8628

HTTP:APACHE:STRUTS-OGNL-CMDEXEC - HTTP: Apache Struts OGNL Expression Parsing Arbitrary Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apache Struts. Attackers can inject and execute arbitrary commands on the targeted system.

Supported On:

References:

bugtraq: 60345
cve: CVE-2013-2135
bugtraq: 60346

Affected Products:

Apache struts 2.3.14.1
Apache struts 2.0.3
Apache struts 2.3.7
Apache struts 2.0.11.1
Apache struts 2.0.2
Apache struts 2.3.4
Apache struts 2.0.11
Apache struts 2.3.1.1
Apache struts 2.1.0
Apache struts 2.0.10
Apache struts 2.3.4.1
Apache struts 2.3.12
Apache struts 2.1.1
Apache struts 2.0.13
Apache struts 2.1.2
Apache struts 2.0.12
Apache struts up to 2.3.14.2
Apache struts 2.3.14
Apache struts 2.1.3
Apache struts 2.3.8
Apache struts 2.1.4
Apache struts 2.2.3.1
Apache struts 2.1.5
Apache struts 2.3.1.2
Apache struts 2.1.6
Apache struts 2.0.9
Apache struts 2.0.8
Apache struts 2.0.4
Apache struts 2.1.8
Apache struts 2.1.8.1
Apache struts 2.2.1.1
Apache struts 2.0.5
Apache struts 2.0.11.2
Apache struts 2.2.3
Apache struts 2.0.7
Apache struts 2.3.3
Apache struts 2.0.6
Apache struts 2.2.1
Apache struts 2.0.1
Apache struts 2.3.1
Apache struts 2.0.14
Apache struts 2.0.0

HTTP:SQL:REQ-URI - HTTP: SQL Commands Detected In HTTP URIs

Severity: HIGH

Description:

Supported On:

TROJAN:BACKDOOR:CHINACHOPPERCNC - TROJAN: China Chopper Webshell Command and Control Traffic

Severity: HIGH

Description:

This signature detects the Command and Control traffic for the Win.Backdoor.Chopper Webshell Trojan. The source IP host is infected and should be removed from the network for analysis.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

HTTP:STC:MOZILLA:XUL-NULL-MENU - HTTP: Mozilla Firefox XUL NULL Menu Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Mozilla Firefox. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 22694
cve: CVE-2007-0775

Affected Products:

Avaya messaging_storage_server 1.0
Avaya messaging_storage_server 2.0
Avaya messaging_storage_server
Sun solaris 10 Sparc
Red_hat enterprise_linux_desktop 5 Client
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Red_hat enterprise_linux_optional_productivity_application 5 Server
Ubuntu ubuntu_linux 6.06 LTS Amd64
Red_hat fedora Core6
Mozilla thunderbird 0.9.0
Mozilla firefox 2.0 Beta 1
Slackware linux 10.2.0
Sun java_system_application_server_enterprise_edition 8.1.0 2005Q1RHEL2.1/RHEL3
Mozilla firefox 1.0.4
Mozilla firefox 1.0.3
Mozilla thunderbird 1.0.5
Mozilla firefox 1.0.2
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Mozilla firefox 2.0.0.10
Ubuntu ubuntu_linux 6.10 Amd64
Ubuntu ubuntu_linux 6.10 I386
Ubuntu ubuntu_linux 6.10 Powerpc
Mozilla firefox 1.5.0
Turbolinux turbolinux_server 10.0.0 X64
Mozilla camino 0.7.0 .0
Mozilla camino 1.0.3
Mozilla camino 0.8.0
Red_hat desktop 4.0.0
Suse suse_linux_enterprise_server 8
Mozilla thunderbird 1.5.0
Slackware linux 11.0
Mozilla seamonkey 1.0.99
Mozilla firefox 1.5.0.7
Turbolinux wizpy
Mozilla thunderbird 1.5.0.4
Mandriva corporate_server 4.0.0 X86 64
Mozilla thunderbird 1.0.7
Ubuntu ubuntu_linux 6.06 LTS I386
Turbolinux turbolinux 10 F...
Sun solaris 9 Sparc
Suse opensuse 10.2
Avaya interactive_response 2.0
Mozilla camino 1.0.1
Suse open-enterprise-server
Mozilla thunderbird 1.5.0.5
Mozilla firefox 1.5.0.5
Mozilla seamonkey 1.0.3
Mozilla firefox 0.10.1
Mozilla thunderbird 1.0.0
Turbolinux multimedia
Turbolinux personal
Mozilla firefox 1.0.6
Mozilla firefox 1.0.0
Mozilla thunderbird 0.8.0
Mozilla firefox 2.0 RC2
Mozilla firefox 2.0 RC3
Mozilla thunderbird 1.5.0.8
Mozilla seamonkey 1.0.6
Mozilla firefox 1.5.0 Beta 2
Mozilla firefox 1.0.8
Debian linux 3.1.0 Amd64
Hp hp-ux B.11.11
Debian linux 3.1.0 Alpha
Debian linux 3.1.0 Arm
Debian linux 3.1.0 Hppa
Debian linux 3.1.0 Ia-32
Debian linux 3.1.0 Ia-64
Debian linux 3.1.0 M68k
Debian linux 3.1.0 Mips
Debian linux 3.1.0 Mipsel
Debian linux 3.1.0 Ppc
Debian linux 3.1.0 S/390
Debian linux 3.1.0 Sparc
Mozilla firefox 0.10.0
Turbolinux home
Mozilla firefox 1.5.0 Beta 1
Suse suse_linux_enterprise_server 9 SP3
Mozilla firefox 1.0.1
Sun java_system_web_server 6.1
Mozilla thunderbird 1.0.6
Mandriva linux_mandrake 2007.0 X86 64
Suse novell_linux_pos 9
Sun solaris 10 X86
Pardus linux 2007.1
Red_hat fedora Core5
Mozilla thunderbird 1.0.1
Rpath rpath_linux 1
Mozilla firefox 1.5.0.3
Turbolinux turbolinux_server 10.0.0 X86
Turbolinux turbolinux FUJI
Mozilla seamonkey 1.0.2
Mozilla firefox 1.5.0.4
Turbolinux turbolinux_desktop 10.0.0
Mozilla camino 1.0
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_retail_solution 8.0.0
Suse suse_linux_standard_server 8.0.0
Mozilla firefox 1.5.0.6
Mozilla seamonkey 1.0.7
Sun java_system_application_server_platform_edition 8.1.0 2005 Q1
Mandriva corporate_server 4.0
Mandriva linux_mandrake 2007.0
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Suse linux 9.3
Mandriva corporate_server 3.0.0
Hp hp-ux B.11.23
Mozilla thunderbird 0.7.3
Mozilla thunderbird 0.6.0
Suse linux 10.0
Mozilla camino 0.8.3
Gentoo linux
Mozilla firefox 2.0
Sgi propack 3.0.0 SP6
Mozilla firefox 0.9.2
Mozilla thunderbird 0.7.2
Mozilla camino 1.0.2
Mozilla firefox 1.0.7
Mozilla firefox 1.5.0.2
Turbolinux turbolinux_server 10.0.0
Mozilla thunderbird 1.5.0.2
Mozilla thunderbird 1.5.0.1
Mozilla thunderbird 1.0.8
Mozilla seamonkey 1.0.1
Mozilla firefox 1.5.0.1
Mozilla seamonkey 1.0
Mozilla seamonkey 1.0 Dev
Novell linux_desktop 9
Mozilla firefox 0.9.0
Mozilla firefox 0.9.1
Sun java_enterprise_system 2003Q4
Sun java_enterprise_system 2004Q2
Suse suse_linux_enterprise_server 10
Suse suse_linux_enterprise_desktop 10
Avaya messaging_storage_server MM3.0
Suse linux 10.1
Mozilla thunderbird 1.5.0 Beta 2
Ubuntu ubuntu_linux 5.10.0 Amd64
Ubuntu ubuntu_linux 5.10.0 I386
Ubuntu ubuntu_linux 5.10.0 Powerpc
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Debian linux 3.1.0
Mozilla seamonkey 1.0.5
Ubuntu ubuntu_linux 6.10 Sparc
Sun java_web_proxy_server 4.0
Sun java_enterprise_system 2005Q4
Mozilla firefox 1.0.5
Mozilla thunderbird 1.5.0.7
Sun java_enterprise_system 5
Mozilla thunderbird 0.7.1
Sun java_enterprise_system 2005Q1
Sun solaris 9 X86
Mozilla firefox 1.5.0.8
Ubuntu ubuntu_linux 6.06 LTS Sparc
Ubuntu ubuntu_linux 5.10.0 Sparc
Mandriva corporate_server 3.0.0 X86 64
Mozilla firefox 2.0.0.1
Mozilla firefox 1.5.0.9
Mozilla firefox 0.8.0
Mozilla thunderbird 1.5.0.9
Turbolinux fuji
Mozilla camino 1.5
Mozilla firefox 0.9.3
Mozilla firefox 0.9.0 Rc
Mozilla thunderbird 0.7.0
Sun java_system_web_server 7.0
Mozilla camino 0.8.4
Mozilla thunderbird 1.0.2

HTTP:DOS:MUL-PRODUCTS - HTTP: Multiple Denial Of Service Vulnerability (STC)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability Multiple Products. A successful attack can result in a denial-of-service condition.

Supported On:

References:

cve: CVE-2014-5116

HTTP:APACHE:NOSEJOB - HTTP: Apache-nosejob.c Attempt

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in Apache Web servers. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. Attackers can send chunked encoded requests with the unique Host header value "Apache-nosejob.c." in the GET request to create a buffer overflow and execute arbitrary code.

Supported On:

References:

bugtraq: 5033
cve: CVE-2002-0392

Affected Products:

Apache_software_foundation apache 1.3.14 Mac
Hp compaq_secure_web_server_for_openvms 1.1.0 -1
Apache_software_foundation apache 1.3.3
Apache_software_foundation apache 1.3.14
Apache_software_foundation apache 1.3.12
Hp virtualvault 4.6.0
Hp hp-ux 11.0.0 4
Apache_software_foundation apache 1.2.0
Apache_software_foundation apache 1.3.23
Apache_software_foundation apache 1.0.5
Hp hp-ux 11.22.0
Apache_software_foundation apache 1.1.0
Macromedia jrun 4.0.0
Apache_software_foundation apache 1.3.16
Apache_software_foundation apache 1.3.18
Apache_software_foundation apache 1.3.19
Apache_software_foundation apache 1.3.0
Hp hp-ux 11.20.0
Hp hp-ux 11.11.0
Oracle oracle_http_server 8.1.7
Apache_software_foundation apache 1.2.5
Apache_software_foundation apache 1.3.1
Apache_software_foundation apache 1.3.15
Apache_software_foundation apache 1.3.20
Hp openview_service_information_portal 1.0.0
Hp openview_service_information_portal 2.0.0
Hp openview_service_information_portal 3.0.0
Hp tru64_unix_compaq_secure_web_server 5.8.1
Hp tru64_unix_compaq_secure_web_server 5.8.2
Hp compaq_secure_web_server_for_openvms 1.2.0
Oracle oracle_http_server 9.0.1
Apache_software_foundation apache 1.0.2
Hp tru64_unix_internet_express 5.9.0
Hp internet_express_eak 2.0.0
Oracle oracle_http_server 1.0.2 .0
Oracle oracle_http_server 1.0.2 .1
Oracle oracle_http_server_for_apps_only 1.0.2 .1s
Oracle oracle_http_server 1.0.2 .2
Oracle oracle_http_server 1.0.2 .2 Roll up 2
Macromedia coldfusion_server MX Professional
Macromedia coldfusion_server MX Developer
Macromedia coldfusion_server MX Enterprise
Hp compaq_secure_web_server_for_openvms 1.0.0 -1
Apache_software_foundation apache 1.3.9
Apache_software_foundation apache 1.3.11
Oracle oracle_http_server 9.1.0
Apache_software_foundation apache 1.3.4
Hp openview_network_node_manager 6.10.0
Hp virtualvault 4.5.0
Hp hp-ux 11.0.0
Apache_software_foundation apache 1.3.24
Apache_software_foundation apache 1.0.3
Hp openview_network_node_manager 6.31.0
Apache_software_foundation apache 1.1.1
Oracle oracle_http_server 9.0.2
Hp openview_network_node_manager 6.2.0
Apache_software_foundation apache 1.3.22
Apache_software_foundation apache 1.3.13
Apache_software_foundation apache 1.0.0
Apache_software_foundation apache 2.0.36
Apache_software_foundation apache 2.0.35
Apache_software_foundation apache 2.0.28
Apache_software_foundation apache 2.0.32
Apache_software_foundation apache 2.0.0
Apache_software_foundation apache 2.0.38
Apache_software_foundation apache 2.0.37
Apache_software_foundation apache 1.3.17
Red_hat secure_web_server 3.2.0 i386
Hp hp-ux_(vvos) 11.0.0 4
Ibm http_server 1.3.19
Hp openview_network_node_manager 6.1.0
Oracle oracle_http_server 9.2.0 .0

HTTP:CGI:SCRUTINIZER-CE - HTTP: Scrutinizer Hidden User Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Scrutinizer. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, j-series-9.5, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

APP:SAP:SYBASE-ESPPARSE-DOS - HTTP: SAP Sybase esp_parse Null Pointer Dereference

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against SAP Sybase. A successful attack can lead to denial of service.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2014-3458
cve: CVE-2014-3457

HTTP:STC:DL:VLC-MEDIA-PLY-BO - HTTP: VideoLAN VLC Media Player File Buffer Overflow

Severity: HIGH

Description:

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 32125
cve: CVE-2008-5036

Affected Products:

Debian linux 4.0 Sparc
Debian linux 4.0
Videolan vlc_media_player 0.9.5
Debian linux 4.0 Armel
Videolan vlc_media_player 0.9.2
Videolan vlc_media_player 0.9.3
Gentoo linux
Videolan vlc_media_player 0.9.0
Videolan vlc_media_player 0.9.1
Videolan vlc_media_player 0.9.4
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Debian linux 4.0 Powerpc
Debian linux 4.0 S/390

HTTP:DIR:ENDECA-ETLSERVER-DT - HTTP: Oracle Endeca Information Discovery Integrator ETL Server MoveFile Directory Traversal

Severity: HIGH

Description:

A directory traversal vulnerability exists in Oracle Endeca Information Discovery Integrator ETL Server. The vulnerability is due to insufficient input validation while processing SOAP requests to the MoveFile operation. By sending crafted SOAP requests to the target system, a remote authenticated attacker can leverage this vulnerability to move arbitrary files on a target system with System privileges. This can further lead to information disclosure and eventually arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2015-2605

Affected Products:

Oracle fusion_middleware 2.2.2
Oracle fusion_middleware 3.0
Oracle fusion_middleware 3.1
Oracle fusion_middleware 2.4
Oracle fusion_middleware 2.3

HTTP:NOVELL:GROUPWISE-CSS - HTTP: Novell GroupWise WebAccess Cross-Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Novell Groupwise Web application. Attackers can execute malicious crafted strings and launch further attacks.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Novell groupwise 2012
Novell groupwise 2014

HTTP:ORACLE:COPYFILE-DIR-TRAV - HTTP: Oracle Endeca CopyFile Directory Traversal

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Endeca while sending a specially crafted request to the target web application service. Attackers can gain access to sensitive information and could launch further attacks.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1

References:

url: http://www.zerodayinitiative.com/advisories/zdi-15-354/
url: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
cve: CVE-2015-2604
url: http://www.zerodayinitiative.com/advisories/zdi-15-355/
cve: CVE-2015-2602
cve: CVE-2015-4745

Affected Products:

Oracle fusion_middleware 2.2.2
Oracle fusion_middleware 3.0
Oracle fusion_middleware 3.1
Oracle fusion_middleware 2.4
Oracle fusion_middleware 2.3

HTTP:STC:DL:XLS-DATA-INIT - HTTP: Excel Data Initialization Vulnerability

Severity: HIGH

Description:

This signature detects attempts to exploit a known issue with Microsoft Excel. A malformed Excel file, when opened, can result in arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2011-0105
bugtraq: 47256

Affected Products:

Microsoft excel_2004_for_mac
Microsoft open_xml_file_format_converter_for_mac
Microsoft excel_2002 SP3
Microsoft excel_2008_for_mac
Microsoft excel_2002
Microsoft excel_2002 SP1
Microsoft excel_2002 SP2

SMB:OF:NWCW-INV-CALL - SMB: Invalid Netware Workstation Service Call

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the Client for NetWare Services on Microsoft Windows. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user (typically Administrator).

Supported On:

References:

bugtraq: 21023
cve: CVE-2006-4688

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_xp_64-bit_edition
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_xp_embedded
Microsoft windows_xp_embedded SP1
Microsoft windows_2000_datacenter_server SP1
Avaya s8100_media_servers R10
Avaya s8100_media_servers
Avaya s8100_media_servers R11
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_professional
Avaya messaging_application_server
Avaya s8100_media_servers R9
Microsoft windows_2000_server SP1
Microsoft windows_2000_advanced_server
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Nortel_networks centrex_ip_element_manager 8.0.0
Nortel_networks centrex_ip_element_manager 7.0.0
Microsoft windows_xp_64-bit_edition_version_2003
Microsoft windows_xp_tablet_pc_edition
Avaya s8100_media_servers R8
Microsoft windows_server_2003_standard_edition
Nortel_networks centrex_ip_element_manager 9.0.0
Microsoft windows_2000_professional SP1
Avaya s8100_media_servers R7
Microsoft windows_server_2003_enterprise_edition SP1 Beta 1
Hp storage_management_appliance 2.1
Avaya s8100_media_servers R6
Microsoft windows_xp_64-bit_edition SP1
Microsoft windows_server_2003_datacenter_edition SP1 Beta 1
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003_standard_edition SP1 Beta 1
Microsoft windows_server_2003_web_edition SP1 Beta 1
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_2000_server SP2
Microsoft windows_xp_gold
Avaya s8100_media_servers R12
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_xp_64-bit_edition_version_2003 SP1
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp

WORM:MINIFLAME-CNC - WORM: Miniflame Command and Conrol Communication

Severity: HIGH

Description:

This signature detects the command-and-control communication of miniflame, an independent, stripped down variant of famous botnet, Flame. The source IP might be infected and should be removed from network and analyzed for malicious activity.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

HTTP:MISC:SUPERMICRO-LOGIN-BO - HTTP: SuperMicro IPMI login.cgi Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Supermicro IPMI. A successful attack can lead to remote code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2013-3621

HTTP:STC:ADOBE:CVE-2014-0497-MC - HTTP: Adobe Flash CVE-2014-0497 Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Flash Player. A successful attack can lead to memory corruption and arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2014-0497
bugtraq: 65327

Affected Products:

Adobe flash_player 11.4.402.287
Adobe flash_player 11.2.202.223
Adobe flash_player 11.1.102.55
Adobe flash_player 11.3.300.265
Adobe flash_player 11.1.115.34
Adobe flash_player 11.2.202.310
Adobe flash_player 11.5.502.146
Adobe flash_player 11.2.202.262
Adobe flash_player 11.0.1.152
Adobe flash_player 11.7.700.260
Adobe flash_player 11.2.202.270
Adobe flash_player 11.6.602.167
Adobe flash_player 11.6.602.180
Adobe flash_player 11.1
Adobe flash_player 11.0.1.153
Adobe flash_player 11.2.202.243
Adobe flash_player 11.5.502.136
Adobe flash_player 11.2.202.258
Adobe flash_player 11.2.202.291
Adobe flash_player 11.0
Adobe flash_player 11.1.111.44
Adobe flash_player 11.5.502.135
Adobe flash_player 11.3.300.257
Adobe flash_player 11.2.202.273
Adobe flash_player 11.2.202.285
Adobe flash_player 11.4.402.278
Adobe flash_player 11.2.202.238
Adobe flash_player 11.1.111.50
Adobe flash_player 11.1.102.59
Adobe flash_player 11.3.300.273
Adobe flash_player 12.0.0.41
Adobe flash_player 11.1.115.54
Adobe flash_player 11.2.202.275
Adobe flash_player 11.7.700.224
Adobe flash_player 11.3.300.270
Adobe flash_player 11.3.300.268
Adobe flash_player 11.9.900.152
Adobe flash_player 11.1.115.7
Adobe flash_player 11.3.300.271
Adobe flash_player 12.0.0.43
Adobe flash_player 11.7.700.252
Adobe flash_player 11.2.202.335
Adobe flash_player 11.7.700.257
Adobe flash_player 12.0.0.38
Adobe flash_player 11.6.602.168
Adobe flash_player 11.2.202.235
Adobe flash_player 11.7.700.202
Adobe flash_player 11.2.202.280
Adobe flash_player 11.2.202.228
Adobe flash_player 11.1.115.48
Adobe flash_player 11.4.402.265
Adobe flash_player 11.1.102.62
Adobe flash_player 11.7.700.169
Adobe flash_player 11.1.111.54
Adobe flash_player 11.2.202.236
Adobe flash_player 11.1.102.63
Adobe flash_player 11.1.115.58
Adobe flash_player 11.1.111.8
Adobe flash_player 11.2.202.251
Adobe flash_player 11.8.800.168
Adobe flash_player 11.5.502.110
Adobe flash_player 11.9.900.170
Adobe flash_player 11.6.602.171
Adobe flash_player 11.5.502.149
Adobe flash_player 11.8.800.94
Adobe flash_player 11.2.202.327
Adobe flash_player 11.2.202.297
Adobe flash_player 11.2.202.332
Adobe flash_player 11.8.800.97
Adobe flash_player 11.7.700.242
Adobe flash_player 11.7.700.232
Adobe flash_player 11.9.900.117
Adobe flash_player 11.2.202.233
Adobe flash_player 11.2.202.261
Adobe flash_player 11.3.300.262

HTTP:HPEV-RCI - HTTP: Hewlett Packard Enterprise Vertica validateAdminConfig Remote Command Injection

Severity: HIGH

Description:

A remote command injection vulnerability exists in the Management Console for Hewlett Packard Enterprise Vertica. Successful exploitation would allow the attacker to execute arbitrary OS commands in the underlying system as root privileges

Supported On:

References:

cve: CVE-2016-2002

Affected Products:

Hp vertica 7.0.2.12
Hp vertica 7.2.1
Hp vertica 7.2.0
Hp vertica 7.1.2

HTTP:PHP:4IMAGES-RFI - HTTP: 4images Remote File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known remote file inclusion vulnerability in 4images. It is due to insufficient validation of user-supplied input in download.php, categories.php or global.php scripts. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary code execution and loss of sensitive information.

Supported On:

References:

bugtraq: 47394
url: http://www.4homepages.de/

Affected Products:

4homepages 4images 1.7.9

HTTP:SQL:INJ:WP-UNIVERSAL-POST - HTTP: WordPress Universal Post Manager Plugin SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known SQL injection vulnerability in the WordPress Universal Post Manager plugin. It is due to insufficient validation of the 'qid' or 'PID' parameters. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

Affected Products:

Artyom_chakhoyan universal_post_manager 1.0.9

HTTP:XSS:WP-UNIVERSAL-POST - HTTP: WordPress Universal Post Manager Plugin Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a cross-site scripting vulnerability in WordPress Universal Post Manager. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

Affected Products:

Artyom_chakhoyan universal_post_manager 1.0.9

HTTP:SQL:INJ:WP-AJAX-CATEGORY - HTTP: WordPress Ajax Category Dropdown Plugin SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known SQL injection vulnerability in the WordPress Ajax Category Dropdown Plugin. It is due to insufficient validation of a parameter sent to the dhat-ajax-cat-dropdown-request.php script. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 47529
url: http://www.wordpress.org

Affected Products:

Dyasonhat ajax_category_dropdown 0.1.5

HTTP:NOVELL:REPORTER-AGENT - HTTP: Novell File Reporter Agent XML Parsing Remote Code Execution

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Novell File Reporter Agent. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959
cve: CVE-2012-4959
bugtraq: 56579
cve: CVE-2012-4956
cve: CVE-2012-4958

Affected Products:

Novell file_reporter 1.0.2

SPYWARE:RAT:DSKLITE1-0-ICQ - SPYWARE: DSK Lite 1.0 (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware DSK Lite 1.0, a keylogger and remote administration tool. This spyware enables attackers to completely control an infected host and log all user activities.

Supported On:

References:

HTTP:PHP:WP-XML-RPC-PINGBACK-RQ - HTTP: WordPress XML RPC Pingback Request

Severity: MEDIUM

Description:

This signature detects WordPress XML RPC calls for the Pingback feature. Its more common use is as a Distributed Denial of Service (DDoS) attack against other WordPress sites. This Pingback functionality also has legitimate uses, but this signature will detect this activity regardless of intention. Per WordPress, it is recommended to disable this functionality. Documentation on how to disable it is found in the signature references.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

TROJAN:BACKDOOR:GHOSTNET-CNC - TROJAN: Backdoor.GhostNet Command and Control Traffic

Severity: HIGH

Description:

This signature detects the Command and Control traffic for the Backdoor.GhostNet trojan. The source IP host is infected and should be removed from the network for analysis.

Supported On:

References:

url: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf

HTTP:STC:REPRISE-PARAM-PARSE-BO - HTTP: Reprise License Manager HTTP Parameter Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Reprise License Manager. A successful exploit can lead to buffer overflow and arbitrary remote code execution within the context of the application.

Supported On:

References:

cve: CVE-2015-6946

Affected Products:

Borland accurev -

HTTP:PHP:WP-XMLRPC-BRUTE - HTTP: WordPress XMLRPC Brute Force Login Attempt

Severity: HIGH

Description:

This signature detects repeated attempts to login to a WordPress website using XMLRPC. This may be an indication of a brute-force attack to gain access to the site, or possibly an automated blog posting system with bad credentials. If the source IP address is known to you, you may need to check its configuration, otherwise, this is possibly a malicious event.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

HTTP:MAILCHIMP-PLUGIN-PHP-CE - HTTP: MailChimp Plugin for WordPress Remote PHP Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against MailChimp Plugin. A successful exploit can lead to remote code execution.

Supported On:

HTTP:MISC:CVE-2015-5718-BO - HTTP: Websense Triton Content Manager Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Websense Triton application. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the running server.

Supported On:

References:

Affected Products:

Websense content_gateway 8.0.0

HTTP:PHP:WP-SIMPLE-ADS-MGR-MUL - HTTP: WordPress Simple Ads Manager Plugin Multiple Security Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against WordPress Simple Ads Manager. A successful attack can lead to information disclosure and an arbitrary file-upload.

Supported On:

References:

bugtraq: 73924
cve: CVE-2015-2825
cve: CVE-2015-2826

Affected Products:

Simple_ads_manager_project simple_ads_manager 2.5.94

HTTP:STC:DL:QT-PANORAMA-ATOM - HTTP: Apple QuickTime Panorama Sample Atoms Movie File Handling Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulnerability in Apple QuickTime. It is due to boundary errors in the QuickTime Virtual Reality (QTVR) when processing QTVR movie files. A remote attacker can exploit this by enticing the target user to open a crafted QTVR movie file. A successful attack can lead to arbitrary code execution in the security context of the logged in user. The behavior of the target is entirely dependent on the intended function of the injected code. In an unsuccessful attack, the affected Apple QuickTime process terminates abnormally.

Supported On:

References:

bugtraq: 26342
cve: CVE-2007-4675

Affected Products:

Apple quicktime_player 7.1.2
Apple quicktime_player 7.1
Apple quicktime_player 7.1.6
Apple quicktime_player 7.1.4
Apple quicktime_player 7.0.2
Apple quicktime_player 7.0.3
Apple quicktime_player 7.1.5
Apple quicktime_player 7.2
Apple quicktime_player 7.0.1
Apple quicktime_player 7.0.4
Apple quicktime_player 7.0.0
Apple quicktime_player 7.1.3
Apple quicktime_player 7.1.1

HTTP:STC:DL:PPT-OFFICEART - HTTP: Microsoft Powerpoint OfficeArtClient Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Powerpoint. A successful attack can lead to arbitrary code execution.

Supported On:

References:

cve: CVE-2011-1270
bugtraq: 47700
cve: CVE-2006-0022
cve: CVE-2011-1269

Affected Products:

Microsoft powerpoint_2007
Microsoft powerpoint_2002 SP2
Microsoft office_compatibility_pack_2007 SP2
Microsoft open_xml_file_format_converter_for_mac
Microsoft office_compatibility_pack_2007 SP1
Microsoft powerpoint_2003
Microsoft powerpoint_2007 SP2
Microsoft office_compatibility_pack_2007
Microsoft powerpoint_2002
Microsoft powerpoint_2002 SP1
Microsoft powerpoint_2003 SP1
Microsoft powerpoint_2003 SP2
Microsoft powerpoint_2002 SP3
Microsoft powerpoint_2007 SP1
Microsoft office_2004_for_mac
Microsoft office_2008_for_mac
Microsoft powerpoint_2003 SP3

HTTP:STC:HPJ-OPTIONS - HTTP: Microsoft Help Workshop HPJ OPTIONS Section Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Help Workshop. An attacker can create malicious Web pages containing dangerous HPJ files with a long HLP reference, which if visited, can gain control of a victim's system.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

url: http://www.milw0rm.com/exploits/3159
bugtraq: 22135
cve: CVE-2007-0427

Affected Products:

Microsoft html_help_workshop 4.03.0002
Microsoft visual_studio 6.0 SP6
Microsoft visual_studio_.net_2003

HTTP:ORACLE:DEMANTRA-FILEACCESS - HTTP: Oracle Demantra Demand Management Unauthorized File Access

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Oracle Demantra Demand Management. A successful attack can lead to unauthorized file disclosure.

Supported On:

References:

bugtraq: 64831
cve: CVE-2013-5877

Affected Products:

Oracle supply_chain_products_suite_sql-server 12.2.0
Oracle supply_chain_products_suite 7.2.0.3
Oracle supply_chain_products_suite_sql-server 12.2.1
Oracle supply_chain_products_suite_sql-server 7.3.0
Oracle supply_chain_products_suite_sql-server 7.3.1

HTTP:MISC:ALIEN-VAULT-OSSIM-CE - HTTP: AlienVault OSSIM av-centerd SOAP Requests Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Alien Vault OSSIM. A successful attack can lead to arbitrary command execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 67312
cve: CVE-2014-3804
url: http://forums.alienvault.com/discussion/2690
bugtraq: 67999

Affected Products:

Alienvault open_source_security_information_management 4.4
Alienvault open_source_security_information_management 4.3
Alienvault open_source_security_information_management 4.1
Alienvault open_source_security_information_management 4.5
Alienvault open_source_security_information_management 4.0.4
Alienvault open_source_security_information_management 4.3.3
Alienvault open_source_security_information_management 4.2
Alienvault open_source_security_information_management 4.2.2
Alienvault open_source_security_information_management 4.6
Alienvault open_source_security_information_management 4.3.2
Alienvault open_source_security_information_management 4.1.3
Alienvault open_source_security_information_management 4.2.3
Alienvault open_source_security_information_management 4.0.3
Alienvault open_source_security_information_management 4.0
Alienvault open_source_security_information_management 4.6.1
Alienvault open_source_security_information_management 4.3.1
Alienvault open_source_security_information_management 4.1.2

HTTP:STC:SBS-TRAIN - HTTP: Step-by-Step Interactive Training Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Step-By-Step Interactive Training. An attacker can create malicious Web pages containing dangerous CBO files with a long Syllabus reference, which if visited, can gain control of a victim's system.

Supported On:

References:

bugtraq: 22484
cve: CVE-2006-3448

Affected Products:

Microsoft step-by-step_interactive_training
Hp storage_management_appliance 2.1

HTTP:STC:DL:APPLE-PICT - HTTP: Apple QuickDraw PICT Images ARGB Records Handling Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Apple Quickdraw. An attacker can create a malicious Web page containing dangerous PICT images; when opened by a victim, the attacker can cause a denial-of-service condition with the possibility of remote code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

url: http://www.frsirt.com/english/advisories/2006/4999
url: http://projects.info-pull.com/moab/MOAB-23-01-2007.html
bugtraq: 22207
cve: CVE-2007-0462

Affected Products:

Apple mac_os_x 10.4.8
Apple mac_os_x_server 10.4.8

HTTP:INFO-LEAK:HP-SITESCOPE - HTTP: HP SiteScope integrationViewer Default Credentials

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP SiteScope. A successful attack can lead to unauthorized information disclosure.

Supported On:

References:

bugtraq: 49345

Affected Products:

Hp site_scope 11.10 Build 2929

APP:MISC:F-SECURE-WEB-BO - APP: F-Secure Products Web Console Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Web Console of multiple F-Secure products. A successful attack can lead to buffer overflow and arbitrary code execution. Failed exploits can cause denial-of-service.

Supported On:

References:

cve: CVE-2006-2838

Affected Products:

F-secure internet_gatekeeper 6.42
F-secure f-secure_anti-virus 6.40 (:ms_exchange)
F-secure f-secure_anti-virus 6.40
F-secure internet_gatekeeper 6.41
F-secure internet_gatekeeper 6.4
F-secure internet_gatekeeper 6.50

HTTP:XSS:SYM-GATEWAY-PHP-PAGE - HTTP: Symantec Web Gateway Multiple PHP Pages Cross Site Scripting

Severity: HIGH

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in Symantec Web Gateway. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 67755
cve: CVE-2014-1652

Affected Products:

Symantec web_gateway 5.1.1
Symantec web_gateway 5.1

HTTP:STC:DL:OO-WORD-TABLE - HTTP: OpenOffice Word Document Table Parsing Integer Underflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the OpenOffice Word document parsing routine. A successful attack can lead to an integer underflow and arbitrary remote code execution within the context of the client.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 36200
cve: CVE-2009-0200
cve: CVE-2009-0201

Affected Products:

Debian linux 4.0 Sparc
Debian linux 4.0
Debian linux 5.0 Ia-64
Debian linux 5.0 M68k
Red_hat enterprise_linux_as 3
Red_hat enterprise_linux_es 3
Red_hat enterprise_linux_ws 3
Debian linux 5.0 Ia-32
Debian linux 5.0 Sparc
Suse suse_linux_enterprise 11
Red_hat enterprise_linux_desktop 5 Client
Avaya interactive_response 3.0
Red_hat enterprise_linux_optional_productivity_application 5 Server
Debian linux 4.0 Powerpc
Debian linux 5.0 Mips
Suse opensuse 11.0
Ubuntu ubuntu_linux 8.10 Amd64
Ubuntu ubuntu_linux 8.10 I386
Sun starsuite 8
Ubuntu ubuntu_linux 8.10 Powerpc
Ubuntu ubuntu_linux 8.10 Sparc
Openoffice openoffice 3.1.0
Red_hat enterprise_linux_as 4
Debian linux 5.0 Powerpc
Red_hat enterprise_linux_ws 4
Red_hat enterprise_linux Desktop Version 4
Ubuntu ubuntu_linux 9.04 Amd64
Ubuntu ubuntu_linux 9.04 I386
Ubuntu ubuntu_linux 9.04 Lpia
Ubuntu ubuntu_linux 9.04 Powerpc
Ubuntu ubuntu_linux 9.04 Sparc
Mandriva linux_mandrake 2009.1 X86 64
Ubuntu ubuntu_linux 8.10 Lpia
Debian linux 5.0 S/390
Mandriva linux_mandrake 2009.1
Sun staroffice 9.0
Ubuntu ubuntu_linux 8.04 LTS I386
Red_hat enterprise_linux_desktop_workstation 5 Client
Sun staroffice 7.0.0
Red_hat desktop 3.0.0
Mandriva enterprise_server 5
Debian linux 4.0 Armel
Ubuntu ubuntu_linux 8.04 LTS Amd64
Mandriva linux_mandrake 2008.0 X86 64
Ubuntu ubuntu_linux 8.04 LTS Lpia
Suse novell_linux_desktop 9.0.0
Suse opensuse 10.3
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Suse suse_linux_enterprise 10
Red_hat fedora 10
Ubuntu ubuntu_linux 8.04 LTS Sparc
Mandriva enterprise_server 5 X86 64
Avaya interactive_response 4.0
Debian linux 4.0 Ia-32
Debian linux 5.0 Hppa
Red_hat enterprise_linux_es 4
Debian linux 4.0 S/390
Sun staroffice 8.0
Suse opensuse 11.1
Debian linux 4.0 Mipsel
Debian linux 4.0 Mips
Sun starsuite 7
Mandriva linux_mandrake 2009.0
Sun starsuite 9
Debian linux 5.0 Alpha
Mandriva linux_mandrake 2009.0 X86 64
Debian linux 5.0 Mipsel
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 5.0 Armel
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 5.0
Mandriva linux_mandrake 2008.0
Debian linux 5.0 Amd64
Debian linux 5.0 Arm

HTTP:PHP:WORDPRESS-REST-PE - HTTP: WordPress REST API Posts Controller Privilege Escalation

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in WordPress. Successful exploitation of this vulnerability could lead to arbitrary modification of WordPress post content.

Supported On:

HTTP:SQL:INJ:MYSCHOOL - HTTP: MySchool SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in MySchool. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 47938
url: http://em.com.eg/en/emanage/show/12

Affected Products:

Emanage myschool 7.02

HTTP:XSS:ZEN-CART - HTTP: Zen Cart Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in Zen Cart. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 47935
url: http://www.zen-cart.com/

Affected Products:

Zen_cart zen_cart 1.3.9h
Zen_cart zen_cart 1.3.9f

HTTP:APACHE:HTTP-SERVER-MOD-DOS - HTTP: Apache HTTP Server mod_deflate and mod_proxy Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apache HTTP server. A successful attack can result in a denial-of-service condition.

Supported On:

References:

cve: CVE-2014-0118
bugtraq: 68740
bugtraq: 68745
cve: CVE-2014-0117

Affected Products:

Apache http_server 2.4.6
Apache http_server 2.4.7
Apache http_server 2.4.8
Apache http_server 2.4.9

HTTP:PHP:EGROUPWARE-FI - HTTP: eGroupware File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known local and remote file inclusion vulnerabilities in eGroupware. It is due to insufficient validation of user-supplied input. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary code execution and/or loss of sensitive information.

Supported On:

References:

bugtraq: 47968
url: http://www.egroupware.org/

Affected Products:

Egroupware egroupware 1.8.001.20110421

APP:MISC:HP-SITESCOPE-SOAP - APP: HP SiteScope SOAP Call APIPreferenceImpl Multiple Security Bypass

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against HP SiteScope. A successful attack can lead to unauthorized information disclosure.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03489683
bugtraq: 55269
cve: CVE-2012-3261
bugtraq: 55273

Affected Products:

Hp sitescope 11.12
Hp sitescope 11.10
Hp sitescope 11.11

APP:MISC:HP-SITESCOPE-DIR-TRAV - APP: HP SiteScope Directory Traversal

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against HP SiteScope. A successful attack can result in directory traversal attacks.

Supported On:

References:

bugtraq: 55273
cve: CVE-2012-3264

Affected Products:

Hp sitescope 11.12
Hp sitescope 11.10
Hp sitescope 11.11

HTTP:TRENDMICRO-CTRLMGR-SQLINJ - HTTP: Trend Micro Control Manager ad hoc query Module SQL Injection

Severity: HIGH

Description:

This signature detects attempts to exploit known vulnerability against Trend Micro Control Manager. An attacker can exploit this vulnerability to submit crafted SQL queries to the underlying database.

Supported On:

References:

bugtraq: 55706
cve: CVE-2012-2998

Affected Products:

Trend_micro control_manager 5.0 (:adv_ed)
Trend_micro control_manager 2.0
Trend_micro control_manager up to 5.5
Trend_micro control_manager 5.0
Trend_micro control_manager 3.0
Trend_micro control_manager 3.5
Trend_micro control_manager 2.1
Trend_micro control_manager 3.0 (:ent_ed)
Trend_micro control_manager 6.0
Trend_micro control_manager 2.5
Trend_micro control_manager 3.5 (:std_ed)
Trend_micro control_manager up to 5.5 (:std_ed)
Trend_micro control_manager up to 5.5 (:adv_ed)
Trend_micro control_manager 5.0 (:std_ed)
Trend_micro control_manager 3.0 (:std_ed)
Trend_micro control_manager 3.5 (:ent_ed)

APP:NOVELL:MSNGR-CREATESEARCH - APP: Novell GroupWise Messenger createsearch Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Novell GroupWise Messenger. A successful attack can lead to memory corruption and arbitrary code execution.

Supported On:

HTTP:SQL:INJ:CA-EXPORTREPORT - HTTP: CA Total Defense Suite UNCWS exportReport SQL Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in CA Total Defense Suite. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

SMB:SAMBA:NMBD-BO - SMB: Samba nmbd Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Samba. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, isg-3.4.140032, isg-3.4.139899, vsrx-12.1, idp-5.0.110121210, j-series-9.5, idp-5.0.110130325, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 69021
cve: CVE-2014-3560

Affected Products:

Samba samba 4.0.2
Samba samba 4.1.7
Samba samba 4.0.3
Samba samba 4.1.1
Samba samba 4.0.5
Samba samba 4.0.10
Samba samba 4.0.6
Samba samba 4.0.11
Samba samba 4.1.2
Samba samba 4.0.12
Samba samba 4.1.3
Samba samba 4.0.8
Samba samba 4.1.6
Samba samba 4.0.0
Samba samba 4.0.13
Samba samba 4.0.9
Samba samba 4.0.20
Samba samba 4.0.14
Samba samba 4.0.15
Samba samba 4.0.16
Samba samba 4.1.9
Samba samba 4.0.17
Samba samba 4.1.8
Samba samba 4.1.10
Samba samba 4.0.4
Samba samba 4.1.4
Samba samba 4.0.18
Samba samba 4.0.7
Canonical ubuntu_linux 14.04
Samba samba 4.1.5
Samba samba 4.0.19
Samba samba 4.0.1
Redhat enterprise_linux 6
Redhat enterprise_linux 7.0
Samba samba 4.1.0

HTTP:MS-DOT-NET-HEAP-CORRUPT - HTTP: Microsoft .NET Framework Heap Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft's .NET Framework. It is due to an error in calculating a buffer length for percent-encoded URI components of a UTF-8 encoded URI. Remote attackers could exploit this vulnerability by enticing a target user to either download and execute a malicious XAML browser application, or download and execute a malicious .NET application. A successful exploitation attempt could result in the execution of arbitrary code in the security context in which the .NET application runs.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2012-0015
bugtraq: 51940

Affected Products:

Avaya meeting_exchange 5.2
Microsoft .net_framework 2.0
Microsoft .net_framework 2.0 SP1
Avaya callpilot 4.0
Avaya callpilot 5.0
Avaya communication_server_1000_telephony_manager 3.0
Avaya communication_server_1000_telephony_manager 4.0
Avaya messaging_application_server 5.2
Microsoft .net_framework 2.0 SP2
Avaya meeting_exchange 5.0 SP1
Avaya meeting_exchange 5.0 SP2
Avaya meeting_exchange 5.1 SP1
Avaya meeting_exchange 5.0
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Microsoft .net_framework 3.5.1
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Avaya meeting_exchange 5.0.0.0.52
Avaya aura_conferencing 6.0 Standard
Avaya meeting_exchange 5.1
Avaya meeting_exchange 5.2 SP2
Avaya meeting_exchange 5.2 SP1

HTTP:INFO-LEAK:HP-APISITESCOPE - HTTP: HP SiteScope SOAP Call APISiteScopeImpl Information Disclosure

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP SiteScope SOAP Call APISiteScopeImpl. A successful attack can lead to unauthorized information disclosure.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 55269
cve: CVE-2012-3259

Affected Products:

Hp sitescope 11.12
Hp sitescope 11.10
Hp sitescope 11.11

APP:NOVELL:IMANAGER-TREE-NAME - APP: Novell iManager Tree Name Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Novell iManager. A successful attack can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, isg-3.4.139899, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.5.141818, idp-5.0.110121210, idp-5.0.110130325, srx-branch-19.1, idp-5.1.110170603, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 40485
cve: CVE-2010-1930

Affected Products:

Novell imanager 2.5.0
Novell imanager 2.0.2
Novell imanager 2.7.2
Novell imanager 2.7.3
Novell imanager 2.7.1
Novell imanager 2.7.0
Novell imanager 2.7.3 FTF2
Novell imanager 1.5.0
Novell imanager 2.0.0
Novell imanager 2.6.0

HTTP:SQL:INJ:CA-TOTAL-DEFENSE - HTTP: CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in CA Total Defense Suite UNCWS. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 47355
cve: CVE-2011-1653

Affected Products:

Computer_associates total_defense 12

HTTP:STREAM:YOUTUBE-REQ - HTTP: YouTube Video Request

Severity: INFO

Description:

This signature detects a Web browser's request to the YouTube video sharing service. Such a request can be against network policy.

Supported On:

References:

url: http://www.youtube.com/

HTTP:SQL:INJ:TIVOLI-USER-UPDATE - HTTP: IBM Tivoli Provisioning Manager Express User.updateUserValue SQL Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in IBM Tivoli Provisioning Manager. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

cve: CVE-2012-0199
bugtraq: 52252

Affected Products:

Ibm tivoli_provisioning_manager_express_for_software_distribution 4.1.1

APP:SYMC:MESSAGING-DIR-TRAV - APP: Symantec Messaging Gateway Directory Traversal

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Symantec Messaging Gateway. It is due to insufficient input validation. By sending crafted requests, a remote, authenticated attacker can exploit this vulnerability to disclose sensitive information on the server.

Supported On:

References:

bugtraq: 56789
cve: CVE-2012-4347

Affected Products:

Symantec messaging_gateway 9.5.1
Symantec messaging_gateway 9.5
Symantec messaging_gateway 9.5.2
Symantec messaging_gateway 9.5.4
Symantec messaging_gateway 9.5.3

HTTP:PHP:TINYWEBGALLERY-LFI - HTTP: TinyWebGallery Local File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known local file inclusion vulnerability in TinyWebGallery. It is due to insufficient validation of user-supplied input. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary code execution and/or loss of sensitive information.

Supported On:

References:

bugtraq: 49393
url: http://www.tinywebgallery.com/en/overview.php

Affected Products:

Tinywebgallery tinywebgallery 1.8.4

HTTP:FOXIT-FF-URL-STG-BO - HTTP: Foxit Reader Plugin for Firefox URL String Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in Foxit Reader Plugin for Firefox. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

APP:MCAFEE-FIREWALL-RCE - APP: McAfee Firewall Reporter isValidClient Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against McAfee Firewall. A successful attack can lead to arbitrary remote code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 47306

Affected Products:

Mcafee firewall_reporter 5.1.0.6

HTTP:CGI:AWSTATS - HTTP: AwStat: Malicious Activity

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Awstat module, a Perl module used to provide server usage statistics. Awstat 6.1 and some versions earlier than 6.3 are vulnerable. Attackers can use malicious command injections to execute arbitrary code with Web server privileges.

Supported On:

References:

url: http://awstats.sourceforge.net/docs/awstats_changelog.txt
url: http://www.kb.cert.org/vuls/id/272296/
bugtraq: 12298
cve: CVE-2005-0116
url: http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

Affected Products:

Suse linux_personal 9.1.0
Awstats awstats 6.1.0
Awstats awstats 6.2.0
Awstats awstats 6.0.0
Awstats awstats 5.9.0
Awstats awstats 5.8.0
Awstats awstats 5.7.0
Awstats awstats 5.6.0
Awstats awstats 5.5.0
Awstats awstats 5.4.0
Awstats awstats 5.3.0
Awstats awstats 5.2.0
Awstats awstats 5.1.0
Awstats awstats 5.0.0
Suse linux 8.0.0
Suse linux 8.0.0 i386
Suse linux_personal 9.0.0 X86 64
Suse linux_personal 9.0.0
Suse linux 8.1.0
Suse linux_personal 8.2.0
Suse linux_personal 9.2.0
Gentoo linux

HTTP:APACHE:RPC-RAVE-INFO-DISC - HTTP: Apache Rave User RPC API Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Apache Rave. A successful attack may lead to unauthorized information disclosure.

Supported On:

References:

bugtraq: 58455
cve: CVE-2013-1814

Affected Products:

Apache rave 0.12
Apache rave 0.17
Apache rave 0.18
Apache rave 0.13
Apache rave 0.14
Apache rave 0.19
Apache rave 0.15
Apache rave 0.11
Apache rave 0.16
Apache rave 0.20

HTTP:STC:DL:GSTREAMER-QT-OF - HTTP: GStreamer QuickTime File Parsing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Mov file format. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

Affected Products:

Debian linux 4.0 Sparc
Debian linux 4.0
Ubuntu ubuntu_linux 7.10 Sparc
Red_hat enterprise_linux_as 3
Red_hat enterprise_linux_es 3
Red_hat enterprise_linux_ws 3
Red_hat enterprise_linux_desktop 5 Client
Suse opensuse 11.0
Ubuntu ubuntu_linux 8.10 Amd64
Ubuntu ubuntu_linux 8.10 I386
Ubuntu ubuntu_linux 8.10 Lpia
Ubuntu ubuntu_linux 8.10 Powerpc
Ubuntu ubuntu_linux 8.10 Sparc
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Mandriva linux_mandrake 2009.0
Mandriva linux_mandrake 2009.0 X86 64
Gstreamer gst-plugins-good 0.10.11
Suse suse_linux_enterprise_server 9
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Mandriva linux_mandrake 2008.0
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Red_hat desktop 3.0.0
Ubuntu ubuntu_linux 7.10 Lpia
Ubuntu ubuntu_linux 7.10 I386
Red_hat fedora 9
Ubuntu ubuntu_linux 8.04 LTS Lpia
Mandriva corporate_server 3.0.0
Suse opensuse 10.3
Mandriva linux_mandrake 2008.0 X86 64
Mandriva corporate_server 3.0.0 X86 64
Ubuntu ubuntu_linux 8.04 LTS Sparc
Red_hat desktop 4.0.0
Mandriva linux_mandrake 2008.1
Mandriva linux_mandrake 2008.1 X86 64
Pardus linux_2008
Gentoo linux
Suse opensuse 11.1
Ubuntu ubuntu_linux 7.10 Powerpc
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Ubuntu ubuntu_linux 7.10 Amd64
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Debian linux 4.0 Powerpc
Debian linux 4.0 S/390

HTTP:JAVA-UA-EXE-DL - HTTP: Executable File Downloaded by Java User Agent

Severity: CRITICAL

Description:

This signature detects a Microsoft executable file being downloaded by a web client using a Java User Agent string. This behavior has been identified as being common to many in-the-wild exploits targeting the recent Java 7 vulnerabilities. It is strongly recommended that you block this activity.

Supported On:

idp-5.1.110161014, DI-Client, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Oracle jdk 1.7.0 (update4)
Oracle jre 1.7.0 (update5)
Oracle jdk 1.7.0 (update3)
Oracle jre 1.7.0 (update9)
Oracle jre 1.7.0 (update3)
Oracle jdk 1.7.0 (update9)
Oracle jre 1.7.0 (update7)
Oracle jre 1.7.0 (update10)
Oracle jre 1.7.0 (update1)
Oracle jdk 1.7.0 (update2)
Oracle jdk 1.7.0 (update7)
Oracle jdk 1.7.0 (update10)
Oracle jdk 1.7.0 (update1)
Oracle jre 1.7.0 (update2)
Oracle jre 1.7.0 (update6)
Oracle jdk 1.7.0 (update6)
Oracle jre 1.7.0 (update4)
Oracle jdk 1.7.0 (update5)

SPYWARE:KL:STARLOGGER - SPYWARE: Starlogger

Severity: HIGH

Description:

This signature detects the runtime behavior of spyware Starlogger, a keylogger that starts at Windows startup and runs in the background. This spyware records all keystrokes and takes screen captures.

Supported On:

References:

url: http://www.spywareguide.com/product_show.php?id=922

SMTP:OUTLOOK:TZID-OF - SMTP: Outlook TZID Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Outlook. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

url: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
bugtraq: 21931
cve: CVE-2006-4699
cve: CVE-2007-0033

Affected Products:

Microsoft outlook_2000 SP3
Microsoft outlook_2002 SP2
Microsoft office_xp
Microsoft outlook_2000
Microsoft office_xp SP3
Microsoft outlook_2002
Microsoft office_2003 SP1
Microsoft office_2000 SP1
Microsoft office_2000 SP2
Microsoft outlook_2002 SP3
Microsoft office_xp SP1
Microsoft office_2003 SP2
Microsoft outlook_2000 SP2
Microsoft outlook_2003 SP2
Microsoft outlook_2003
Microsoft outlook_2000 SR1
Microsoft outlook_2002 SP1
Microsoft office_2000 SP3
Microsoft office_xp SP2
Microsoft office_2000
Microsoft office_2003

HTTP:NNMRPTCONFIG-EXE-RCE - HTTP: HP OpenView Network Node Manager nnmRptConfig.exe schd_select1 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in HP OpenView Network Node Manager. It is due to insufficient validation of user-supplied input. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary command execution and buffer overflow.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

HTTP:SQL:INJ:SYMANTEC-IM - HTTP: Symantec IM Manager LoggedInUsers.lgx Definition File SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Symantec IM Manager. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 44299
cve: CVE-2010-0112

Affected Products:

Symantec im_manager 8.4.5
Symantec im_manager 8.3
Symantec im_manager 8.4
Symantec im_manager 8.4.13
Symantec im_manager 8.4.15

HTTP:WP-FGALLERY-MAL-FILE-HOST1 - HTTP: Wordpress FGallery Plugin Malicious File Hosting1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known flaw in Wordpress FGallery Plugin that allows any arbitrary file to be downloaded. A successful attack could result in download of malicious files on the client machine.

Supported On:

HTTP:MISC:JENKINS-CI-CSRF - HTTP: Jenkins CI Server Multiple Cross-Site Request Forgery

Severity: HIGH

Description:

This signature detects attempts to exploit known vulnerabilities in the Jenkins CI. Successful exploitation of these vulnerabilities could lead to a variety of effects including denial-of-service, configuration changes, and, in the worst case, arbitrary command execution with the privileges of Jenkins.

Supported On:

References:

bugtraq: 98062
cve: CVE-2017-1000356

Affected Products:

Jenkins jenkins 2.46.1
Jenkins jenkins 2.56

HTTP:IIS:ASP-PAGE-BOF - HTTP: Microsoft IIS Server Crafted ASP Page Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft IIS Server Crafted ASP Page. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

References:

bugtraq: 18858
cve: CVE-2006-0026

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_xp_home
Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_professional
Microsoft windows_2000_server
Microsoft windows_2000_professional SP1
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_2000_server SP1
Microsoft windows_xp_home SP1
Microsoft windows_server_2003_standard_edition
Microsoft iis 5.1
Microsoft windows_2000_advanced_server
Microsoft windows_xp
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_xp_home SP2
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_2000_server SP2
Microsoft windows_xp_professional
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft iis 6.0
Microsoft iis 5.0
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp_media_center_edition SP1

APP:HPOV:NODE-MGR-NNMRPTCONFIG - APP: HP OpenView Network Node Manager nnmRptConfig.exe Template Format String Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against OpenView Network. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2011-0270
bugtraq: 45762

Affected Products:

Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

HTTP:DIR:HP-LOADRUNNER-EMU - HTTP: HP LoadRunner Virtual User Generator EmulationAdmin Directory Traversal

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the HP LoadRunner Virtual User Generator. The vulnerabilities exist in the EmulationAdmin web service. A remote unauthenticated attacker can exploit these vulnerabilities to create arbitrary files on the server or disclose sensitive information by reading arbitrary files on the server. Successful exploitation of one of these vulnerabilities could lead to arbitrary code execution on the target system.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2013-4837
cve: CVE-2013-4838
bugtraq: 63476

Affected Products:

Hp loadrunner 9.50.0
Hp loadrunner up to 11.51
Hp loadrunner 9.52
Hp loadrunner 11.50
Hp loadrunner 9.51
Hp loadrunner 9.0.0
Hp loadrunner 11.0.0.0

HTTP:ORACLE:OUTSIDE-IN-PRDOX-BO - HTTP: Oracle Outside In Paradox Database Handling Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Oracle Outside In. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 57364
cve: CVE-2013-0418

Affected Products:

Oracle fusion_middleware 8.3.7.0
Oracle fusion_middleware 8.4
Microsoft exchange_server 2007 (sp3)
Microsoft exchange_server 2010 (sp2)

APP:VMWARE-OVF-FMTSTR - APP: VMware OVF Tools Format String

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in VMware OVF Tools. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 56468
cve: CVE-2012-3569
url: http://www.vmware.com/security/advisories/VMSA-2012-0015.html

Affected Products:

Vmware workstation 8.0.4
Vmware player 4.0.0.18997
Vmware workstation 8.0.2
Vmware workstation 8.0
Vmware workstation 8.0.1.27038
Vmware player 4.0.2
Vmware workstation 8.0.1
Vmware player 4.0.3
Vmware ovf_tool 2.1
Vmware player 4.0.1
Vmware player 4.0.4
Vmware player 4.0
Vmware workstation 8.0.3
Vmware workstation 8.0.0.18997

HTTP:PHP:PMACHINE-PATH-DISC - HTTP: pMachine Path Disclosure

Severity: LOW

Description:

This signature detects attempts to exploit a known vulnerability in pMachine, an online publishing application. pMachine version 2.2.1 and other versions are vulnerable. Attackers can send a malicious HTTP request to the pMachine Web server to cause some pMachine scripts to return the full path of the pMachine installation. Attackers can use this information in planning future, more targeted attacks.

Supported On:

References:

bugtraq: 7980
url: http://www.pmachine.com

Affected Products:

Pmachine pmachine 2.2.1
Pmachine pmachine 2.2.0
Pmachine pmachine 2.1.0
Pmachine pmachine 2.0.0
Pmachine pmachine 1.0.0

HTTP:STC:DL:WORD-SMART-TAGS - HTTP: Microsoft Word Smart Tags Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Word. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 18037
cve: CVE-2006-2492

Affected Products:

Microsoft word_viewer_2003
Microsoft works_suite_2004
Microsoft works_suite_2005
Microsoft works_suite_2000
Microsoft word_2002 SP3
Microsoft works_suite_2006
Microsoft works_suite_2001
Microsoft works_suite_2002
Microsoft word_2002
Microsoft word_2002 SP2
Microsoft word_2003
Microsoft word_2002 SP1
Microsoft works_suite_2003

HTTP:IIS:CMS:MAL-CMS-REQ - HTTP: Malformed Content Management Server Request

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Content Management Server. Versions 2001 SP1 through 2002 SP2 are vulnerable. A successful attack can lead to a denial-of-service (DoS) condition or arbitrary code execution.

Supported On:

idp-5.1.110161014, DI-Server, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

url: http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx
bugtraq: 22861
url: http://www.kb.cert.org/vuls/id/434137
url: http://www.securitytracker.com/id?1017894
cve: CVE-2007-0938
cve: CVE-2007-0939

Affected Products:

Hp storage_management_appliance 2.1
Microsoft content_management_server_2002
Microsoft content_management_server_2001
Microsoft content_management_server_2001 SP1
Microsoft content_management_server_2002 SP1
Microsoft content_management_server_2002 SP2

HTTP:LANDESK-REMOTE-FILE-INC - HTTP: LANDesk Management Suite Remote File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in LANDesk Management Suite. Successful exploitation could lead to arbitrary code execution.

Supported On:

References:

url: http://www.securityfocus.com/archive/1/535286
cve: CVE-2014-5362

Affected Products:

Landesk landesk_management_suite 9.6

HTTP:STC:DL:MS-OFFICE-RCE - HTTP: Microsoft Office Publisher 2007 Pointer Dereference Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Publisher. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 35599
cve: CVE-2009-0566

Affected Products:

Microsoft publisher_2007 SP1
Microsoft publisher_2007

IMAP:OVERFLOW:IBM-DOMINO-OF - IMAP: IBM Domino IMAP Mailbox Name Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in IBM Domino IMAP Server. Successful exploitation will result in the execution of arbitrary code with SYSTEM privileges. An unsuccessful attack could result in a denial of service condition of the affected service.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2017-1274

Affected Products:

Ibm domino 9.0.1.8
Ibm domino 8.5.3
Ibm domino 8.5.3.6
Ibm domino 9.0.0.0
Ibm domino 9.0.1

HTTP:CGI:BASH-INJECTION-URL - HTTP: Multiple Products Bash Code Injection In URL

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against GNU Bash in HTTP URL. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 70103
url: https://access.redhat.com/node/1200223
cve: CVE-2014-6271
cve: CVE-2014-7169
cve: CVE-2014-6277
cve: CVE-2014-6278

Affected Products:

Gnu bash 4.1
Gnu bash 1.14.3
Gnu bash 2.02.1
Gnu bash 3.0
Gnu bash 4.0
Gnu bash 3.1
Gnu bash 2.04
Gnu bash 3.2
Gnu bash 2.05
Gnu bash 1.14.0
Gnu bash 2.02
Gnu bash 1.14.1
Gnu bash 2.03
Gnu bash 3.0.16
Gnu bash 1.14.2
Gnu bash 2.0
Gnu bash 3.2.48
Gnu bash 2.01
Gnu bash 4.3
Gnu bash 1.14.5
Gnu bash 4.2
Gnu bash 1.14.6
Gnu bash 1.14.4
Gnu bash 1.14.7
Gnu bash 2.01.1

HTTP:STC:STREAM:QT-MOV-FILE-BOF - HTTP: Apple QuickTime Movie File Clipping Region Handling Heap Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Apple QuickTime. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

References:

bugtraq: 35167
cve: CVE-2009-0954

Affected Products:

Apple quicktime_player 7.1
Apple quicktime_player 7.3.1.70
Apple quicktime_player 7.0.2
Apple quicktime_player 6.4
Apple quicktime_player 7.2
Apple quicktime_player 7.0.1
Apple quicktime_player 5.0.2
Apple quicktime_player 6
Apple quicktime_player 7.3.1
Apple quicktime_player 7.0.4
Apple quicktime_player 7.6
Apple quicktime_player 6.1.0
Apple quicktime_player 7.4
Apple quicktime_player 7.1.4
Apple quicktime_player 7.1.5
Apple quicktime_player 7.0.3
Apple quicktime_player 7.4.1
Apple quicktime_player 7.5.5
Apple quicktime_player 7.3
Apple quicktime_player 7.1.3
Apple quicktime_player 7.6.1
Apple quicktime_player 7.1.1
Apple quicktime_player 7.1.2
Apple quicktime_player 7.1.6
Apple quicktime_player 7.4.5
Apple quicktime_player 6.5.2
Apple quicktime_player 6.5.0
Apple quicktime_player 6.5.1
Apple quicktime_player 7.5
Apple quicktime_player 7.0.0

HTTP:STC:DL:MS-PUBLISHER-RCE - HTTP: Microsoft Publisher 2007 Conversion Library Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office Publisher 2007. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2007-1754
bugtraq: 22702

Affected Products:

Microsoft publisher_2007
Microsoft office_2007

HTTP:NOVELL:EDIR-ACCEPT-LANG-OF - HTTP: Novell eDirectory Management Console Accept-Language Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known buffer overflow vulnerability in Novell eDirectory. It is due to a boundary error when processing HTTP requests. By supplying an overly large number of values for the Accept-Language header, a remote unauthenticated attacker can leverage this vulnerability to inject and execute arbitrary code on the target host with System or root level privileges. An attack targeting this vulnerability can result in the injection and execution of arbitrary code. If code execution is successful, the behaviour of the target will depend on the intention of the attacker. Any injected code will be executed with System or root privileges. In the case of an unsuccessful code execution attack, eDirectory might terminate abnormally.

Supported On:

References:

url: http://www.juniper.net/security/auto/vulnerabilities/vuln33928.html

SPYWARE:RAT:PRORAT1-9-ICQ - SPYWARE: ProRat1-9 (ICQ Notification)

Severity: CRITICAL

Description:

This signature detects the runtime behavior of the spyware ProRat1.9, a remote administration tool. This spyware enables attackers to completely control an infected host.

Supported On:

References:

HTTP:TREND-IWSVA-CI - HTTP: Trend Micro IWSVA ManageSRouteSettings HttpServlet Command Injection

Severity: HIGH

Description:

A command injection vulnerability has been reported Trend Micro IWSVA. Successful exploration results in arbitrary command execution in the security context of the iscan user.

Supported On:

MS-RPC:OF:LOC-SVC-1 - MS-RPC: DCE-RPC Windows RPC Locator Service Overflow (1)

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Windows DCE RPC Locator service. By default, this service is on in all Windows NT 4 and Windows 2000 Domain Controllers, or can be turned on manually in all Windows NT, 2000, and XP systems. Attackers can deny the locator service, causing network-wide outages, or they can take control and run arbitrary code.

Supported On:

References:

bugtraq: 6666
cert: CA-2003-03
cve: CVE-2003-0003

Affected Products:

Microsoft windows_2000 (sp2)
Microsoft windows_2000 (sp2:datacenter_server)
Microsoft windows_2000 (:professional)
Microsoft windows_nt 4.0 (sp2:workstation)
Microsoft windows_nt 4.0 (sp6)
Microsoft windows_2000_terminal_services (sp2)
Microsoft windows_nt 4.0 (:workstation)
Microsoft windows_xp (:64-bit)
Microsoft windows_2000 (:datacenter_server)
Microsoft windows_nt 4.0 (sp6a:workstation)
Microsoft windows_2000 (:server)
Microsoft windows_xp (sp1)
Microsoft windows_nt 4.0 (sp3:workstation)
Microsoft windows_nt 4.0 (sp1:server)
Microsoft windows_nt 4.0 (sp6a:terminal_server)
Microsoft windows_nt 4.0 (sp6:terminal_server)
Microsoft windows_nt 4.0 (sp5)
Microsoft windows_nt 4.0 (:terminal_server)
Microsoft windows_2000 (:server:jp)
Microsoft windows_nt 4.0 (sp6a)
Microsoft windows_2000 (sp3:professional)
Microsoft windows_2000 (sp2:advanced_server)
Microsoft windows_2000 (sp3:advanced_server)
Microsoft windows_2000 (sp1:server)
Microsoft windows_nt 4.0 (sp5:server)
Microsoft windows_2000 (sp2:server)
Microsoft windows_nt 4.0 (sp4)
Microsoft windows_nt 4.0 (sp4:enterprise_server)
Microsoft windows_nt 4.0 (:enterprise_server)
Microsoft windows_2000 (sp3)
Microsoft windows_nt 4.0 (sp1)
Microsoft windows_nt 4.0 (sp3:server)
Microsoft windows_nt 4.0 (sp1:workstation)
Microsoft windows_2000 (:advanced_server)
Microsoft windows_2000_terminal_services (sp3)
Microsoft windows_2000 (sp1:professional)
Microsoft windows_xp (gold)
Microsoft windows_nt 4.0 (sp6a:server)
Microsoft windows_nt 4.0 (sp2:enterprise_server)
Microsoft windows_nt 4.0 (sp2)
Microsoft windows_xp (sp1:home)
Microsoft windows_2000 (sp3:datacenter_server)
Microsoft windows_nt 4.0 (sp2:terminal_server)
Microsoft windows_2000 (sp2:professional)
Microsoft windows_2000 (sp3:server)
Microsoft windows_nt 4.0 (sp6:enterprise_server)
Microsoft windows_nt 4.0 (sp4:terminal_server)
Microsoft windows_xp (:home)
Microsoft windows_nt 4.0 (sp3)
Microsoft windows_nt 4.0 (sp6:server)
Microsoft windows_2000 (sp1)
Microsoft windows_nt 4.0 (sp3:terminal_server)
Microsoft windows_2000 (sp1:advanced_server)
Microsoft windows_xp (gold:professional)
Microsoft windows_xp (sp1:64-bit)
Microsoft windows_2000_terminal_services (sp1)
Microsoft windows_nt 4.0 (sp5:enterprise_server)
Microsoft windows_nt 4.0 (sp6a:enterprise_server)
Microsoft windows_nt 4.0 (sp3:enterprise_server)
Microsoft windows_nt 4.0
Microsoft windows_nt 4.0 (:server)
Microsoft windows_nt 4.0 (sp6:workstation)
Microsoft windows_nt 4.0 (sp4:server)
Microsoft windows_nt 4.0 (sp5:terminal_server)
Microsoft windows_nt 4.0 (sp1:enterprise_server)
Microsoft windows_nt 4.0 (sp5:workstation)
Microsoft windows_nt 4.0 (sp4:workstation)
Microsoft windows_2000 (sp1:datacenter_server)
Microsoft windows_nt 4.0 (sp1:terminal_server)
Microsoft windows_nt 4.0 (sp2:server)

HTTP:STC:DL:MS-PUB-MC - HTTP: Microsoft Publisher PUB File Processing Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Publisher. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 19951
cve: CVE-2006-0001

Affected Products:

Microsoft office_xp
Hp storage_management_appliance 2.1
Microsoft office_xp SP3
Microsoft office_2003 SP1
Microsoft publisher_2002
Microsoft publisher_2003
Microsoft office_2000 SP1
Microsoft office_2000 SP2
Microsoft office_xp SP1
Microsoft office_2003 SP2
Microsoft publisher_2000
Microsoft office_2000 SP3
Microsoft office_xp SP2
Microsoft office_2000
Microsoft office_2003

HTTP:STC:DL:MS-WORD-XST-BOF - HTTP: Microsoft Wordpad Word Converter XST Structure Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Wordpad. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 32718
cve: CVE-2008-4841

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_2000_professional SP3
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_xp_home
Microsoft windows_xp_64-bit_edition SP1
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_professional
Avaya messaging_application_server
Microsoft windows_2000_professional SP1
Avaya messaging_application_server MM 3.1
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_2000_professional SP4
Microsoft windows_server_2003_x64 SP2
Avaya messaging_application_server MM 2.0
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Avaya messaging_application_server MM 1.1
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_server_2003_standard_edition
Microsoft windows_server_2003_enterprise_x64_edition SP2
Avaya messaging_application_server MM 3.0
Microsoft windows_server_2003_enterprise_edition SP1 Beta 1
Microsoft windows_xp_64-bit_edition
Microsoft windows_server_2003_datacenter_edition SP1 Beta 1
Microsoft windows_server_2003_datacenter_edition_itanium SP1 Beta 1
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_server_2003_standard_edition SP1 Beta 1
Microsoft windows_server_2003_web_edition SP1 Beta 1
Microsoft windows_server_2003 SP2
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_xp_gold
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_server_2003_x64 SP1
Microsoft windows_2000_professional SP2
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_server_2003 SP1
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1 Beta 1
Microsoft windows_xp

HTTP:PHP:EXIF-HEADER-INT-OF - HTTP: Exif Header Parsing Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known integer overflow vulnerability against PHP. A successful attack can result in information disclosure or a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: https://bugs.php.net/bug.php?id=60150
bugtraq: 50907
cve: CVE-2011-4566

Affected Products:

Php php 5.4.0

HTTP:IIS:SHAREPOINT-2010-XSS - HTTP: SharePoint Server 2010 Cross Site Scripting Vulnerability

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft SharePoint Server 2010. A Cross Site Scripting (XSS) vulnerability exists in SharePoint Server 2010 where Javascript is encoded in a malicious URL that is echoed back to the user in the resulting page. An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser, resulting in arbitrary code execution with the privileges of the user's browser session.

Supported On:

References:

cve: CVE-2011-0653
bugtraq: 49002

Affected Products:

Microsoft sharepoint_foundation_2010
Microsoft sharepoint_server_2010_enterprise_edition
Microsoft sharepoint_server_2010_standard_edition
Microsoft sharepoint_server_2010 SP1

HTTP:CISCO:PRIME-INFRA-ID - HTTP: Cisco Prime Infrastructure and Evolved Programmable Network Manager Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Cisco Prime Infrastructure and Evolved Programmable Network Manager. Successful exploitation results in the disclosure of arbitrary file contents from the target system.

Supported On:

References:

Affected Products:

Cisco prime_infrastructure 3.1%284.0%29
Cisco evolved_programmable_network_manager 1.2.200
Cisco evolved_programmable_network_manager 1.2.400
Cisco prime_infrastructure 3.0_base
Cisco prime_infrastructure 2.2%283%29
Cisco evolved_programmable_network_manager 2.0.0
Cisco prime_infrastructure 3.2_base
Cisco prime_infrastructure 1.4.0
Cisco prime_infrastructure 1.2.0
Cisco prime_infrastructure 1.4.1
Cisco prime_infrastructure 3.1%285.0%29
Cisco prime_infrastructure 1.2.1
Cisco prime_infrastructure 1.4.2
Cisco evolved_programmable_network_manager 2.0%284.0.45d%29
Cisco prime_infrastructure 3.1_base
Cisco prime_infrastructure 1.3.0.20
Cisco evolved_programmable_network_manager 1.2.1.3
Cisco prime_infrastructure 3.2%280.0%29
Cisco evolved_programmable_network_manager 1.2.300
Cisco prime_infrastructure 1.3.0
Cisco prime_infrastructure 2.1.0
Cisco prime_infrastructure 1.2.0.103
Cisco evolved_programmable_network_manager 1.2.500
Cisco prime_infrastructure 3.0.0
Cisco prime_infrastructure 2.2%282%29
Cisco prime_infrastructure 1.4.0.45
Cisco prime_infrastructure 2.0.0
Cisco prime_infrastructure 2.2.0
Cisco evolved_programmable_network_manager 1.2.0
Cisco prime_infrastructure 3.1.1
Cisco prime_infrastructure 3.1%280.128%29
Cisco prime_infrastructure 3.1.0

HTTP:STC:IE:XML-MEM-COR - HTTP: Microsoft XML Core Services Integer Truncation Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft XML Core Services. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2013-0006
bugtraq: 57116

Affected Products:

Microsoft office_compatibility_pack (sp2)
Microsoft windows_7 - (sp1:x64)
Microsoft word_viewer
Microsoft windows_server_2003 (sp2:itanium)
Microsoft office 2007 (sp3)
Microsoft windows_server_2008 (sp2:x86)
Microsoft office 2007 (sp2)
Microsoft windows_server_2008 r2 (sp1:x64)
Microsoft windows_server_2008 - (sp2:itanium)
Microsoft sharepoint_server 2007 (sp2)
Microsoft windows_vista (sp2:x64)
Microsoft groove_server 2007 (sp3)
Microsoft xml_core_services 4.0
Microsoft xml_core_services 6.0
Microsoft xml_core_services 3.0
Microsoft expression_web 2
Microsoft windows_server_2012 -
Microsoft office 2003 (sp3)
Microsoft expression_web (sp1)
Microsoft windows_rt -
Microsoft xml_core_services 5.0
Microsoft windows_server_2003 (sp2:x64)
Microsoft windows_xp (sp3)
Microsoft office_compatibility_pack (sp3)
Microsoft windows_server_2008 - (sp2:x64)
Microsoft windows_8 - (-:x64)
Microsoft windows_7 - (-:x86)
Microsoft windows_server_2008 r2 (sp1:itanium)
Microsoft sharepoint_server 2007 (sp3)
Microsoft windows_xp - (sp2:x64)
Microsoft groove_server 2007 (sp2)
Microsoft windows_7 - (-:x64)
Microsoft windows_server_2008 r2 (-:x64)

HTTP:IIS:MS-RD-WEB-ACCESS-XSS - HTTP: Microsoft Remote Desktop Web Access Cross Site Scripting

Severity: HIGH

Description:

This signature detects attempts to exploit a know flaw in Microsoft Remote Desktop Web Access. An XSS vulnerability exists in Microsoft's Remote Desktop Web Access where Javascript can be injected back to the user in the resulting page, effectively allowing attacker-controlled JavaScript to run in the context of the user clicking the link.

Supported On:

References:

cve: CVE-2011-1263
bugtraq: 49040

Affected Products:

Microsoft windows_server_2008_r2_x64
Microsoft windows_server_2008_r2_for_x64-based_systems SP1

HTTP:CGI:IPFIRE-PROXY-RCE - HTTP: IPFire proxy.cgi Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the proxy.cgi script of IPFire. Successful exploitation allows the attacker to execute arbitrary code under the security context of a non-privileged user.

Supported On:

HTTP:MISC:MONOWALL-CSRF - HTTP: Monowall Firewall/Router Cross Site Request Forgery

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Monowall Firewall/Router. A successful attack can lead to cross-site request forgery attacks and unauthorized session hijack.

Supported On:

HTTP:XSS:SHAREPOINT-EDITFORM - HTTP: Microsoft SharePoint Server Editform Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in Microsoft SharePoint Server. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

cve: CVE-2011-1890
bugtraq: 49010

Affected Products:

Microsoft sharepoint_foundation_2010
Microsoft sharepoint_server_2010_enterprise_edition
Microsoft sharepoint_server_2010_standard_edition

HTTP:ORACLE:COREL-DRAW-BO - HTTP: Oracle Outside In CorelDRAW File Parser Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Oracle Outside-In. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected application.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2011-2264
bugtraq: 48766

Affected Products:

Acd_systems_inc acdsee_canvas 12
Newsoft presto!_pagemanager 9
Guidance_software encase_forensic_v4 4.18.0 A
Novell groupwise 8.0 HP2
Novell groupwise 6.5.0 SP5
Kamel_software fastlook_2009
Novell groupwise 6.5 SP6 Update 3
Novell groupwise 5.2.0
Novell groupwise 5.5.0
Guidance_software encase_forensic 6.14
Cisco security_agent 4.5.0
Accessdata forensic_toolkit 8.3.2.0
Accessdata forensic_toolkit 3.2
Novell groupwise 6.5.0 SP3
Novell groupwise 6.5.0 SP4
Novell groupwise 6.0.1 Sp1
Oracle fusion_middleware 8.3.5.0
Novell groupwise 6.5.6
Avantstar_inc. quick_view_plus 11
Hp trim
Symantec enterprise_vault 7.5
Novell groupwise 8.0 HP1
Guidance_software encase_enterprise 4.0.0
Guidance_software encase_enterprise 4.16.0
Novell groupwise_internet_agent 8.0
Cisco security_agent 4.0.3.728
Cisco security_agent 3.X
Cisco security_agent 4.0.3
Cisco security_agent 4.0.2
Cisco security_agent 4.0.1
Cisco security_agent 4.0.0
Cisco security_agent 4.5.1.659
Cisco security_agent 5.0.0.201
Novell groupwise 6.5.0 SP1
Mcafee groupshield 7.0.716.101
Novell groupwise 6.5.0 SP6 Update 1
Novell groupwise 8.0 SP2
Cisco security_agent 5.1.0 .79
Ibm content_integrator 8.5.1
Cisco security_agent 3
Novell groupwise 5.57E
Cisco security_agent 5.2
Novell groupwise 6.5.3
Novell groupwise 6.5.0 SP2
Novell groupwise 6.0.0 SP4
Accessdata ftk 3.2
Kroll_ontrack easyrecovery
Kroll_ontrack powercontrols
Marklogic server
Novell groupwise 6.5.0 SP6
Mcafee host_data_loss_prevention 9.0
Novell groupwise 6.5.0 Post SP6
Symantec enterprise_vault 8.0 SP4
Cisco security_agent 6.0(1.126)
Cisco security_agent 6.0(2.099)
Cisco security_agent 5.2.0.285
Cisco security_agent 6.0
Cisco security_agent 6.0.1.132
Cisco security_agent 5.1.0.117
Cisco security_agent 5.2.0.296
Novell groupwise 8.02 HP1
Cisco security_agent 4.5.1
Cisco security_agent 4.5.1.639
Guidance_software encase_forensic 5.0
Guidance_software encase
Symantec enterprise_vault 9.0.2
Ibm db2 9.7 fixpack 2
Ibm db2 9.7 fixpack 3
Ibm db2 9.7
Ibm omnifind 9.1
Novell groupwise 8.0
Novell groupwise 6.0.0
Oracle fusion_middleware 8.3.2.0
Novell groupwise 6.0.0 SP3
Ibm content_integrator 8.6
Ibm content_manager_enterprise_edition 8.4.3
Ibm classification_module 8.6
Ibm commonstore_for_exchange 8.4
Ibm commonstore_for_lotus_domino 8.4
Ibm content_analytics 2.1
Ibm content_analytics 2.2
Ibm content_collector_for_email 2.1.1
Ibm content_collector_for_email 2.2
Ibm content_collector_for_file_systems 2.1.1
Novell groupwise 6.0.0 SP1
Novell groupwise 6.0.0 SP2
Ibm content_collector_for_microsoft_sharepoint 2.2
Ibm document_manager 8.4.2
Cisco security_agent 5.0
Cisco security_agent 5.0.0.193
Cisco security_agent 5.1
Ibm filenet_capture 5.2
Ibm filenet_capture 5.2.1
Ibm filenet_content_manager 5.0
Ibm filenet_content_manager 5.1
Ibm filenet_integrated_document_management_desktop 4.0.2
Ibm filenet_integrated_document_management_desktop 4.0.3
Ibm infosphere_classification_module 8.7
Ibm production_imaging_edition 5.0
Ibm web_interface_for_content_management 1.0.1
Ibm web_interface_for_content_management 1.0.2
Ibm web_interface_for_content_management 1.0.3
Ibm web_interface_for_content_management 1.0.4
Novell groupwise 6.5.2
Novell groupwise 6.5.4
Cisco security_agent 4.5.0
Ibm content_collector_for_file_systems 2.2
Guidance_software encase_forensic 6.12
Cisco security_agent 2.1.0
Novell groupwise 8.01X
Ibm content_collector_for_microsoft_sharepoint 2.1.1
Novell groupwise 8.02
Novell groupwise 8.02 HP2
Symantec enterprise_vault 10.0
Symantec enterprise_vault 9.0
Symantec enterprise_vault 8.0 SP5
Novell groupwise 6.5.0
Symantec enterprise_vault 9.0.1
Cisco security_agent 4.5.1.657
Ibm omnifind 8.5
Novell groupwise 8.0 SP1
Ibm document_manager 2.2
Ibm ediscovery_analyzer 2.2
Ibm ediscovery_manager 2.2
Cisco security_agent 6.0.2.145
Symantec enterprise_vault 8.0

HTTP:STC:ADVANTECH-WEBACCESS - HTTP: Advantech WebAccess Dashboard uploadFile Arbitrary File Upload

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Dashboard component of Advantech WebAccess. Successful exploitation could allow the attacker to execute arbitrary code.

Supported On:

References:

cve: CVE-2016-0854

Affected Products:

Advantech webaccess 8.0

HTTP:SQL:INJ:WP-MULTIPLE - HTTP: WordPress Multiple SQL Injection Vulnerabilities

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in WordPress. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 48521
url: http://wordpress.org/news/2011/06/wordpress-3-1-4/
url: https://www.sec-consult.com/files/20110621-0_wordpress_multiple_sqli.txt
url: http://www.wordpress.org

Affected Products:

Wordpress wordpress 3.1.3
Red_hat fedora 15
Wordpress wordpress 3.2-RC1
Wordpress wordpress 3.1
Wordpress wordpress 3.1.1
Red_hat fedora 14
Wordpress wordpress 3.1.2

HTTP:CGI:TWIKI-SEARCH-CMD-EXEC - HTTP: TWiki Search Module Remote Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the TWiki, a Web-based collaboration application. Because the TWiki search function does not properly check a search string for shell metacharacters, attackers can create a search string containing quotes and shell commands, enabling them to execute arbitrary code with Web server privileges. When TWiki access is unrestricted, attackers are not required to authenticate before using the search function.

Supported On:

References:

url: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
bugtraq: 11674
url: http://archives.neohapsis.com/archives/bugtraq/2004-11/0201.html
cve: CVE-2004-1037

Affected Products:

Gentoo linux
Twiki twiki 01-Feb-2003
Twiki twiki 01-Dec-2001
Twiki twiki 01-Dec-2000
Twiki twiki 20030201
Conectiva linux 10.0.0
Twiki twiki 20040901

HTTP:STC:DL:QT-PDAT - HTTP: Apple QuickTime PDAT Atom Parsing Buffer Overflow

Severity: HIGH

Description:

Supported On:

References:

bugtraq: 31086
cve: CVE-2008-3625

Affected Products:

Apple mac_os_x 10.5.1
Apple mac_os_x 10.4.1
Apple mac_os_x_server 10.4.1
Apple quicktime_player 7.1
Apple mac_os_x_server 10.4.7
Apple mac_os_x_server 10.5
Apple mac_os_x_server 10.5.1
Apple quicktime_player 7.1.4
Apple quicktime_player 7.1.6
Apple quicktime_player 7.3.1.70
Apple mac_os_x 10.4.7
Apple quicktime_player 7.1.5
Apple quicktime_player 7.2
Apple quicktime_player 7.0.1
Apple quicktime_player 7.0.4
Apple quicktime_player 7.0.3
Apple mac_os_x 10.4.3
Apple mac_os_x_server 10.4.3
Apple mac_os_x 10.5.3
Apple mac_os_x_server 10.5.3
Apple quicktime_player 7.4
Apple quicktime_player 7.3.1
Apple mac_os_x 10.4.2
Apple mac_os_x_server 10.4.2
Apple quicktime_player 7.4.1
Apple mac_os_x 10.4.8
Apple mac_os_x_server 10.4.8
Apple quicktime_player 7.3
Apple mac_os_x 10.5.2
Apple mac_os_x_server 10.5.2
Apple quicktime_player 7.1.3
Apple mac_os_x 10.4.6
Apple mac_os_x_server 10.4.6
Apple quicktime_player 7.1.1
Apple quicktime_player 7.1.2
Apple mac_os_x 10.5.4
Apple mac_os_x_server 10.5.4
Apple mac_os_x 10.4.4
Apple mac_os_x_server 10.4.4
Apple mac_os_x 10.4.5
Apple mac_os_x_server 10.4.5
Apple quicktime_player 7.4.5
Apple mac_os_x 10.5
Apple mac_os_x 10.4.9
Apple mac_os_x_server 10.4.9
Apple quicktime_player 7.5
Apple mac_os_x 10.4.10
Apple mac_os_x_server 10.4.10
Apple mac_os_x_server 10.4.0
Apple mac_os_x 10.4.11
Apple mac_os_x_server 10.4.11
Apple quicktime_player 7.0.0
Apple quicktime_player 7.0.2

HTTP:MISC:TRENDMICRO-CMD-INJ - HTTP: Trend Micro Command Injection In HTTP Variables

Severity: CRITICAL

Description:

The signature is trying to capture any command injection vulnerabilites present in http parameters. Successful exploitation by remote use could lead to arbitrary command execution under the security context of the root user.

Supported On:

References:

HTTP:TRENDMICRO-SAFESYNC-ENT-CI - HTTP: Trend Micro SafeSync for Enterprise replace_local_disk Command Injection

Severity: HIGH

Description:

This signature detects an attempt to exploit command injection vulnerability in Trend Micro SafeSync for Enterprise. A remote, authenticated attacker could exploit this vulnerability by sending a crafted input to the vulnerable system. Successful exploitation could lead to arbitrary command execution under the security context of the root user.

Supported On:

HTTP:STC:MS-FOREFRONT-RCE - HTTP: Microsoft Forefront Threat Management Gateway Client Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Forefront Threat Management Gateway 2010 Client. It is due to an error in the calculation of a buffer size in the NSPLookupServiceNext function. Potentially any application running on a system could be affected by this vulnerability due to the way Microsoft Forefront Threat Management Gateway is installed on a system. Remote attackers can exploit this vulnerability by enticing unsuspecting users to open a specially crafted web page or view an email message. Successful exploitation could result in execution of arbitrary code within the security context of the affected client application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 48181
cve: CVE-2011-1889

Affected Products:

Microsoft forefront_threat_management_gateway_2010_client

POP3:SUSPICIOUS-HEADER - POP3: Suspicious Mail Sender with Randomized Header

Severity: HIGH

Description:

This signature detects POP3 messages that contains suspicious randomized Header. This kind of behavior is mostly observed when someone is trying to scan and send malicious traffic against a network security device using various traffic generators.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, isg-3.5.141818, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, isg-3.4.0

HTTP:STC:DL:WEBEX-ATAS - HTTP: Cisco WebEx Recording Format Player atas32.dll 0xBB Subrecords Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Cisco WebEx Recording Format (WRF) Player. A successful attack can lead to a integer overflow and arbitrary remote code execution within the context of the target program.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120404-webex
bugtraq: 52882
cve: CVE-2012-1337

Affected Products:

Cisco webex_(linux) T27 L SP11 EP26
Cisco webex_(linux) T27 LB SP21 EP10
Cisco webex_(linux) T27 LC SP25 EP9
Cisco webex_(linux) T27 LD SP32
Cisco webex_(mac_os_x) T27 LC SP25 EP9
Cisco webex_(mac_os_x) T27 LB SP21 EP10
Cisco webex_(mac_os_x) T27 L SP11 EP26
Cisco webex_(windows) T27 L SP11 EP26
Cisco webex_(windows) T27 LB SP21 EP10
Cisco webex_(windows) T27 LC SP25 EP9
Cisco webex_(mac_os_x) T27 LD SP32
Cisco webex_(windows) T27 LD SP32

HTTP:XSS:ORACLE-GLASSFISH - HTTP: Oracle GlassFish Enterprise Server Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross site scripting vulnerability in Oracle GlassFish Enterprise Server. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 48797
url: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html
url: http://www.senseofsecurity.com.au/advisories/SOS-11-009.pdf
cve: CVE-2011-2260

Affected Products:

Sun glassfish_enterprise_server 2.1.1

HTTP:XSS:MS-MULT-APPLICATION - HTTP: Microsoft Multiple Application Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross site scripting vulnerability in Oracle HTTP Server isqlplus. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 22705
cve: CVE-2007-1111

Affected Products:

Activecalendar activecalendar 1.2.0

HTTP:XSS:WP-STATS-DASHBOARD - HTTP: WordPress WP-Stats-Dashboard Plugin Multiple Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in the WordPress WP-Stats-Dashboard Plugin. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 49197
url: http://www.htbridge.ch/advisory/multiple_xss_in_wp_stats_dashboard.html
url: http://wordpress.org/
url: http://www.daveligthart.com/wp-stats-dashboard-10/

Affected Products:

Dave_ligthart wp-stats-dashboard 2.6.5.1

HTTP:STC:ADOBE:FLASH-MP4LOAD-BO - HTTP: Adobe Flash Player MP4 Loading Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Flash Player. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected application.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2011-2140
bugtraq: 49083

Affected Products:

Red_hat desktop_extras 4
Adobe flash_player 9.125.0
Adobe flash_player 10.1.82.76
Adobe flash_player 9.0.280
Sun solaris 10 Sparc
Red_hat enterprise_linux_supplementary 5 Server
Red_hat enterprise_linux_desktop_supplementary 6
Adobe flash_player 9.0.159.0
Adobe flash_player 10.0.45.2
Adobe flash_player 9.0.262
Adobe flash_player 10.1 Release Candidate
Red_hat enterprise_linux_server_supplementary 6
Red_hat enterprise_linux_workstation_supplementary 6
Google chrome 12.0.742.100
Adobe flash_player 9.0.28.0
Adobe flash_player 9.0.31.0
Hp systems_insight_manager 6.0
Google chrome 10.0.648.204
Hp systems_insight_manager 5.0
Hp systems_insight_manager 5.0 SP1
Hp systems_insight_manager 5.0 SP2
Hp systems_insight_manager 5.0 SP3
Hp systems_insight_manager 4.2 SP1
Hp systems_insight_manager 4.2 SP2
Hp systems_insight_manager 4.2
Adobe flash_player 9.0.114.0
Adobe flash_player 10.2.152.21
Adobe flash_player 10.1.106.16
Adobe flash_player 8
Adobe flash_player 8
Google chrome 11.0.696.77
Suse suse_linux_enterprise_desktop 10 SP4
Google chrome 10.0.648.205
Google chrome 9.0.597.94
Hp systems_insight_manager 4.1
Adobe flash_player 8.0.24.0
Adobe flash_player 10.3.181.26
Google chrome 10.0.648.205
Adobe flash_player 10
Google chrome 13.0.782.107
Google chrome 13
Adobe flash_player 9.0.31.0
Hp systems_insight_manager 5.3
Hp systems_insight_manager 5.3 Update 1
Google chrome 10.0.648.205
Google chrome 9.0.597.107
Adobe flash_player 10.0.0.584
Google chrome 10.0.648.127
Google chrome 10
Adobe flash_player 10.2.154.27
Adobe air 2.6.19120
Adobe air 2.6.19140
Adobe flash_player 9.0.151 .0
Adobe flash_player 9.0.18D60
Adobe flash_player 9.0.28.0
Adobe flash_player 10.0.45 2
Sun solaris 11 Express
Adobe flash_player 10.1.51.66
Adobe flash_player 8.0.39.0
Adobe flash_player 8.0.33.0
Adobe flash_player 9.0.124.0
Adobe flash_player 10.2.156.12
Adobe flash_player 10.1.95.2
Adobe flash_player 9.0.112.0
Google chrome 11.0.696.71
Google chrome 10.0.648.127
Adobe flash_player 9.0.48.0
Google chrome 10.0.648.128
Adobe flash_player 9.0.115.0
Adobe flash_player 10.1.102.65
Adobe flash_player 9.0.260.0
Adobe flash_player 8.0.22.0
Adobe flash_player 10.2.154.13
Sun solaris 10 X86
Google chrome 11.0.696.43
Adobe flash_player 10.1.92.10
Suse opensuse 11.4
Google chrome 12.0.742.112
Adobe flash_player 9.0.20
Google chrome 11.0.672.2
Google chrome 11
Adobe flash_player 8.0.35.0
Hp systems_insight_manager 5.0 SP5
Hp systems_insight_manager 5.0 SP6
Hp systems_insight_manager 5.1 SP1
Adobe flash_player 9.0.16
Adobe flash_player 10.1.53.64
Adobe flash_player 9.0.277.0
Red_hat enterprise_linux_desktop_supplementary 5 Client
Adobe flash_player 9
Adobe flash_player 10.3.185.25
Adobe flash_player 9.0.262.0
Adobe flash_player 10.3.185.22
Adobe flash_player 10.3.181.22
Adobe flash_player 10.3.181.23
Adobe flash_player 10.0.42.34
Adobe flash_player 10.0.32.18
Avaya interactive_response 4.0
Adobe flash_player 9.0.246.0
Adobe flash_player 10.0.32 18
Adobe flash_player 9.0.246 0
Adobe flash_player 9.0.283.0
Adobe flash_player 8.0.42.0
Adobe flash_player 10.0.12 .36
Google chrome 11.0.696.43
Google chrome 11.0.696.57
Gentoo linux
Hp systems_insight_manager 6.1
Hp systems_insight_manager 5.2 SP2
Adobe air 2.7
Adobe flash_player 9.0.45.0
Adobe flash_player 9.0.47.0
Adobe flash_player 8.0.34.0
Adobe flash_player 10.1.52.14.1
Adobe flash_player 10.1.52.15
Adobe flash_player 10.1.92.8
Adobe flash_player 10.1.95.2
Adobe flash_player 10.2.152
Adobe flash_player 10.2.152.32
Adobe flash_player 10.3.181.16
Adobe flash_player 10.3.185.22
Hp systems_insight_manager 6.2
Google chrome 12
Google chrome 12.0.742.91
Adobe flash_player 10.3.185.23
Adobe flash_player 9.0.155.0
Hp systems_insight_manager 6.0.0.96
Hp systems_insight_manager 6.3
Adobe flash_player 9.0.20.0
Red_hat enterprise_linux_extras 4
Adobe flash_player 10.1.102.64
Adobe flash_player 9.0.289.0
Adobe flash_player 10.0.45 2
Adobe flash_player 9.0.125.0
Google chrome 11.0.696.65
Adobe flash_player 10.2.154.24
Adobe flash_player 10.3.181.16
Adobe flash_player 10.0.15 .3
Adobe flash_player 9.0.152 .0
Adobe flash_player 10.0.12 .35
Adobe flash_player 10.3.181.34
Hp systems_insight_manager 4.1 Sp1
Adobe flash_player 10.2.154.18
Adobe flash_player 10.0.22.87
Adobe flash_player 10.2.152.33
Adobe flash_player 10.1.92.10
Adobe flash_player 10.1.95.1
Adobe flash_player 10.1.85.3
Suse opensuse 11.3
Xerox freeflow_print_server_(ffps) 73.C0.41
Xerox freeflow_print_server_(ffps) 73.B3.61
Suse suse_linux_enterprise_desktop 11 SP1
Adobe flash_player 10.0.12.10
Adobe flash_player 10.2.159.1
Adobe flash_player 10.2.157.51
Hp systems_insight_manager 4.0
Adobe flash_player 10.2.154.28
Adobe flash_player 10.3.181.14
Adobe flash_player 10.3.185.21
Adobe flash_player 10.2.153.1
Google chrome 10.0.648.133
Adobe flash_player 10.1.105.6
Adobe air 2.6
Adobe flash_player 10.2.154.25
Google chrome 9.0.597.84
Google chrome 11.0.696.68
Red_hat enterprise_linux_ws_extras 4
Red_hat enterprise_linux_es_extras 4
Red_hat enterprise_linux_as_extras 4

HTTP:XSS:SYMANTEC-EP-PARAM-XSS - HTTP: Symantec Endpoint Protection URI Parameter Reflected Cross-Site Scripting

Severity: MEDIUM

Description:

This signature detect attempts to exploit a known vulnerability against Symantec Endpoint Protection Manager. The vulnerabilities are due to insufficient validation of user input before it is sent back to the user. A remote unauthenticated attacker may exploit these vulnerabilities to execute arbitrary script code in the context of the the current browser session.

Supported On:

References:

cve: CVE-2014-3438

Affected Products:

Symantec endpoint_protection_manager 12.1.3
Symantec endpoint_protection_manager 12.1.0
Symantec endpoint_protection_manager 12.1.1
Symantec endpoint_protection_manager 12.1.4
Symantec endpoint_protection_manager 12.1.2

HTTP:APACHE:SCALP - HTTP: Apache-scalp.c Attempt

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in Apache Web servers. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. Attackers can send chunked encoded requests with the unique Host header value "apache-scalp.c." in the GET request to create a buffer overflow and execute arbitrary code.

Supported On:

References:

bugtraq: 5033
url: http://httpd.apache.org/info/security_bulletin_20020617.txt
cert: CA-2002-17
cve: CVE-2002-0392

Affected Products:

Apache_software_foundation apache 1.3.14 Mac
Hp compaq_secure_web_server_for_openvms 1.1.0 -1
Apache_software_foundation apache 1.3.3
Apache_software_foundation apache 1.3.14
Apache_software_foundation apache 1.3.12
Hp virtualvault 4.6.0
Hp hp-ux 11.0.0 4
Apache_software_foundation apache 1.2.0
Apache_software_foundation apache 1.3.23
Apache_software_foundation apache 1.0.5
Hp hp-ux 11.22.0
Apache_software_foundation apache 1.1.0
Macromedia jrun 4.0.0
Apache_software_foundation apache 1.3.16
Apache_software_foundation apache 1.3.18
Apache_software_foundation apache 1.3.19
Apache_software_foundation apache 1.3.0
Hp hp-ux 11.20.0
Hp hp-ux 11.11.0
Oracle oracle_http_server 8.1.7
Apache_software_foundation apache 1.2.5
Apache_software_foundation apache 1.3.1
Apache_software_foundation apache 1.3.15
Apache_software_foundation apache 1.3.20
Hp openview_service_information_portal 1.0.0
Hp openview_service_information_portal 2.0.0
Hp openview_service_information_portal 3.0.0
Hp tru64_unix_compaq_secure_web_server 5.8.1
Hp tru64_unix_compaq_secure_web_server 5.8.2
Hp compaq_secure_web_server_for_openvms 1.2.0
Oracle oracle_http_server 9.0.1
Apache_software_foundation apache 1.0.2
Hp tru64_unix_internet_express 5.9.0
Hp internet_express_eak 2.0.0
Oracle oracle_http_server 1.0.2 .0
Oracle oracle_http_server 1.0.2 .1
Oracle oracle_http_server_for_apps_only 1.0.2 .1s
Oracle oracle_http_server 1.0.2 .2
Oracle oracle_http_server 1.0.2 .2 Roll up 2
Macromedia coldfusion_server MX Professional
Macromedia coldfusion_server MX Developer
Macromedia coldfusion_server MX Enterprise
Hp compaq_secure_web_server_for_openvms 1.0.0 -1
Apache_software_foundation apache 1.3.9
Apache_software_foundation apache 1.3.11
Oracle oracle_http_server 9.1.0
Apache_software_foundation apache 1.3.4
Hp openview_network_node_manager 6.10.0
Hp virtualvault 4.5.0
Hp hp-ux 11.0.0
Apache_software_foundation apache 1.3.24
Apache_software_foundation apache 1.0.3
Hp openview_network_node_manager 6.31.0
Apache_software_foundation apache 1.1.1
Oracle oracle_http_server 9.0.2
Hp openview_network_node_manager 6.2.0
Apache_software_foundation apache 1.3.22
Apache_software_foundation apache 1.3.13
Apache_software_foundation apache 1.0.0
Apache_software_foundation apache 2.0.36
Apache_software_foundation apache 2.0.35
Apache_software_foundation apache 2.0.28
Apache_software_foundation apache 2.0.32
Apache_software_foundation apache 2.0.0
Apache_software_foundation apache 2.0.38
Apache_software_foundation apache 2.0.37
Apache_software_foundation apache 1.3.17
Red_hat secure_web_server 3.2.0 i386
Hp hp-ux_(vvos) 11.0.0 4
Ibm http_server 1.3.19
Hp openview_network_node_manager 6.1.0
Oracle oracle_http_server 9.2.0 .0

APP:MISC:ZIMBRA-COLLAB-INFODISC - APP: Zimbra Collaboration Server Local File Inclusion Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known local file inclusion vulnerability in Zimbra Collaboration Server. It is due to insufficient validation of user-supplied input. A successful attack can result in loss of sensitive information.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1

References:

bugtraq: 64149
cve: CVE-2013-7091

Affected Products:

Zimbra zimbra_collaboration_suite 6.0.15
Zimbra zimbra_collaboration_suite 6.0.7
Zimbra zimbra_collaboration_suite 6.0.9
Zimbra zimbra_collaboration_suite 6.0.12
Zimbra zimbra_collaboration_suite 6.0
Zimbra zimbra_collaboration_suite 6.0.16
Zimbra zimbra_collaboration_suite 6.0.8
Zimbra zimbra_collaboration_suite 6.0.1
Zimbra zimbra_collaboration_suite 6.0.14
Zimbra zimbra_collaboration_suite 6.0.5
Zimbra zimbra_collaboration_suite 6.0.6
Zimbra zimbra_collaboration_suite 6.0.10
Zimbra zimbra_collaboration_suite 6.0.13
Zimbra zimbra_collaboration_suite 6.0.4
Zimbra zimbra_collaboration_suite 6.0.3
Zimbra zimbra_collaboration_suite 6.0.2

HTTP:STC:MOZILLA:MAL-SVG-INDEX - HTTP: Firefox Malformed SVG Index Parameter

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Mozilla Firefox. An attacker can create a Web site with Web pages containing dangerous SVG calls, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://www.mozilla.org/security/announce/2007/mfsa2007-12.html
bugtraq: 24242
cve: CVE-2007-2867

Affected Products:

Suse linux_personal 10.1
Suse linux_professional 10.1
Red_hat enterprise_linux_desktop 5 Client
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Red_hat enterprise_linux_optional_productivity_application 5 Server
Ubuntu ubuntu_linux 6.06 LTS Amd64
Mozilla firefox 1.5.0
Suse novell_linux_pos 9
Mozilla firefox 2.0 Beta 1
Red_hat enterprise_linux_es 3
Slackware linux 10.2.0
Mozilla firefox 1.0.3
Mozilla thunderbird 1.0.5
Mozilla firefox 1.0.2
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Suse linux_personal 10.2
Suse linux_personal 10.2 X86 64
Suse linux_professional 10.2 X86 64
Suse linux_professional 10.2
Ubuntu ubuntu_linux 6.10 Amd64
Ubuntu ubuntu_linux 6.10 I386
Ubuntu ubuntu_linux 6.10 Powerpc
Ubuntu ubuntu_linux 6.10 Sparc
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Debian xulrunner
Mozilla camino 0.7.0 .0
Mozilla camino 1.0.3
Mozilla camino 0.8.0
Suse linux 10.1 X86
Suse linux 10.1 X86-64
Suse linux 10.1 Ppc
Suse linux 10.0 Ppc
Suse linux 10.0 X86
Suse linux 10.0 X86-64
Suse suse_linux_enterprise_server 8
Mozilla thunderbird 1.5.0
Mozilla thunderbird 1.5.0.7
Mozilla seamonkey 1.0.99
Hp hp-ux B.11.31
Mozilla thunderbird 1.5.0.4
Mozilla thunderbird 1.0.7
Ubuntu ubuntu_linux 6.06 LTS I386
Red_hat enterprise_linux_ws 2.1 IA64
Red_hat enterprise_linux_as 2.1 IA64
Red_hat enterprise_linux_es 2.1 IA64
Sun solaris 9 Sparc
Avaya interactive_response 2.0
Mozilla seamonkey 1.0.2
Mozilla thunderbird 1.5.0.5
Mozilla firefox 1.5.0.5
Mozilla seamonkey 1.0.3
Mozilla thunderbird 1.0.0
Mozilla firefox 1.0.6
Mozilla firefox 1.0.0
Red_hat fedora 7
Gentoo www-client/mozilla-firefox 2.0.0.3
Gentoo www-client/mozilla-firefox-bin 2.0.0.3
Gentoo mail-client/mozilla-thunderbird 2.0.0.3
Gentoo mail-client/mozilla-thunderbird-bin 2.0.0.3
Gentoo www-client/seamonkey 1.0.7
Gentoo www-client/seamonkey-bin 1.0.7
Gentoo net-libs/xulrunner 1.8.1.3
Mozilla thunderbird 1.5.0.8
Mozilla seamonkey 1.0.6
Mozilla firefox 2.0 RC2
Mozilla firefox 1.0.8
Red_hat enterprise_linux_as 2.1
Red_hat enterprise_linux_es 2.1
Red_hat enterprise_linux_ws 2.1
Mozilla firefox 2.0 RC3
Mozilla thunderbird 1.5.0.10
Mozilla seamonkey 1.0.8
Mozilla firefox 2.0.0.3
Mozilla firefox 1.5.0.11
Hp hp-ux B.11.23
Mozilla thunderbird 1.0.8
Mandriva linux_mandrake 2007.1
Suse linux_professional 10.0.0
Mozilla firefox 1.0.1
Mozilla firefox 1.5.0 Beta 2
Mozilla thunderbird 1.0.6
Mandriva linux_mandrake 2007.0 X86 64
Red_hat enterprise_linux_as 3
Sun solaris 10 X86
Red_hat enterprise_linux_ws 3
Mozilla seamonkey 1.0
Mozilla thunderbird 1.0.1
Rpath rpath_linux 1
Mozilla firefox 1.5.0.3
Sun solaris 8 Sparc
Avaya interactive_response 3.0
Sun solaris 8 X86
Hp hp-ux B.11.11
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_retail_solution 8.0.0
Suse suse_linux_standard_server 8.0.0
Mozilla firefox 1.5.0.6
Mozilla seamonkey 1.1.1
Mandriva linux_mandrake 2007.0
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Mozilla seamonkey 1.1 Beta
Ubuntu ubuntu_linux 7.04 Amd64
Ubuntu ubuntu_linux 7.04 I386
Ubuntu ubuntu_linux 7.04 Powerpc
Ubuntu ubuntu_linux 7.04 Sparc
Suse novell_linux_desktop 9.0.0
Mandriva corporate_server 3.0.0
Mozilla camino 0.8.3
Mozilla thunderbird 1.5.0.2
Suse opensuse 10.2
Mozilla firefox 2.0
Sgi propack 3.0.0 SP6
Mozilla camino 1.0.1
Mozilla camino 1.0.2
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Debian linux 4.0 Powerpc
Debian linux 4.0 S/390
Debian linux 4.0 Sparc
Debian linux 4.0
Mozilla seamonkey 1.0 Dev
Mozilla firefox 1.5.0 Beta 1
Mozilla firefox 1.5.0.4
Mozilla camino 1.0
Mozilla thunderbird 1.5.0.1
Mozilla firefox 1.0.7
Avaya messaging_storage_server MM3.0
Foresight_linux foresight_linux 1.1
Mozilla thunderbird 1.5.0 Beta 2
Red_hat advanced_workstation_for_the_itanium_processor 2.1.0
Sun solaris 9 X86
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Red_hat enterprise_linux Desktop Version 4
Mozilla firefox 1.5.0.10
Mozilla firefox 1.0.5
Mozilla seamonkey 1.0.1
Slackware linux 11.0
Mozilla firefox 1.5.0.7
Mozilla seamonkey 1.0.5
Debian iceape 1.1.1
Debian icedove
Mozilla firefox 2.0.0.2
Slackware linux -Current
Mozilla firefox 1.5.0.8
Ubuntu ubuntu_linux 6.06 LTS Sparc
Mozilla firefox 1.5.0.2
Debian iceweasel
Suse suse_linux_enterprise_desktop 10 SP1
Suse suse_linux_enterprise_server 10 SP1
Mandriva corporate_server 3.0.0 X86 64
Mandriva linux_mandrake 2007.1 X86 64
Mozilla firefox 2.0.0.1
Mozilla firefox 1.5.0.9
Mozilla seamonkey 1.0.7
Mozilla thunderbird 1.5.0.9
Mozilla firefox 1.5.0.1
Mozilla camino 1.5
Mozilla firefox 1.0.4
Mozilla camino 0.8.4
Mozilla thunderbird 1.0.2

HTTP:STC:DL:MS-XL-ROW-REC-BO - HTTP: Microsoft Office Excel Row Record Heap Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Office Excel. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

References:

bugtraq: 36946
cve: CVE-2009-3130

Affected Products:

Microsoft open_xml_file_format_converter_for_mac
Microsoft excel_2002 SP3
Microsoft office_2004_for_mac
Microsoft excel_2002
Microsoft excel_2002 SP1
Microsoft excel_2002 SP2
Microsoft office_2008_for_mac

APP:TMIC:OFFICESCAN-PW-OF - APP: Trend Micro OfficeScan Password Data Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Trend Micro OfficeScan. A successful attack can allow the attacker to execute arbitrary code with the privileges of the user running the application.

Supported On:

References:

bugtraq: 28020
cve: CVE-2008-1365
url: http://www.securityfocus.com/archive/1/20080227203019.061547bd.aluigi@autistici.org

Affected Products:

Trend_micro officescan_corporate_edition 8.0
Trend_micro officescan_corporate_edition 5.5.0
Trend_micro officescan_corporate_edition 3.5.0
Trend_micro officescan_corporate_edition 6.5.0
Trend_micro officescan_corporate_edition 8.0 Patch 2 Build 1189
Trend_micro officescan_corporate_edition 7.3 Build 1314
Trend_micro officescan_corporate_edition 6.0
Trend_micro officescan_corporate_edition 3.54.0
Trend_micro officescan_corporate_edition 8.0.patch build 1042
Trend_micro officescan_corporate_edition 7.0
Trend_micro officescan_corporate_edition 6.5
Trend_micro officescan_corporate_edition 3.0.0
Trend_micro officescan_corporate_edition 3.11.0
Trend_micro officescan_corporate_edition 3.13.0
Trend_micro officescan_corporate_edition 7.3
Trend_micro officescan_corporate_edition 7.0.0
Trend_micro officescan_corporate_edition 5.0.0 2
Trend_micro officescan_corporate_edition 5.58.0

HTTP:MISC:NAGIOS-NWTOOL-CSRF - HTTP: Nagios Network Analyzer create Cross-Site Request Forgery

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Nagios Network Analyzer. A remote, unauthenticated attacker can exploit this vulnerability by enticing an authenticated administrator to visit a maliciously crafted page.

Supported On:

HTTP:STC:DL:XLS-XISPARENT - HTTP: Microsoft Office Excel Xisparent Object Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Excel. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2011-1987
bugtraq: 49477

Affected Products:

Microsoft excel_2004_for_mac
Microsoft excel_2003 SP1
Microsoft office_compatibility_pack_2007 SP2
Microsoft office_compatibility_pack_2007 SP1
Microsoft open_xml_file_format_converter Mac
Microsoft excel 2004
Microsoft excel_2008_for_mac
Microsoft office_compatibility_pack_2007
Microsoft excel_2007 SP1
Microsoft office_2011_for_mac SP1
Microsoft excel_2010
Microsoft excel_2003 SP3
Microsoft office_2011_for_mac
Microsoft excel_2003 SP2
Microsoft excel_2007 SP2
Microsoft office_2004_for_mac
Microsoft office_2008_for_mac
Microsoft excel_viewer SP2
Microsoft excel_2007
Microsoft excel_2003

HTTP:APACHE:STRUTS2DMI-RCE - HTTP: Apache Struts2 Dymanic Method Invocation Remote Code Execution

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Apache Struts2 Dymanic Method Invocation. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://struts.apache.org/docs/s2-032.html
cve: CVE-2016-3081

Affected Products:

Apache struts 2.3.14.1
Apache struts 2.0.3
Apache struts 2.3.7
Apache struts 2.3.14.2
Apache struts 2.0.11.1
Apache struts 2.3.20.1
Apache struts 2.0.2
Apache struts 2.3.4
Apache struts 2.0.11
Apache struts 2.3.14.3
Apache struts 2.3.1.1
Apache struts 2.1.0
Apache struts 2.0.10
Apache struts 2.3.4.1
Apache struts 2.3.12
Apache struts 2.1.1
Apache struts 2.0.13
Apache struts 2.1.2
Apache struts 2.0.12
Apache struts 2.3.14
Apache struts 2.1.3
Apache struts 2.3.8
Apache struts 2.3.15
Apache struts 2.1.4
Apache struts 2.3.20
Apache struts 2.2.3.1
Apache struts 2.3.16
Apache struts 2.1.5
Apache struts 2.3.1.2
Apache struts 2.3.16.2
Apache struts 2.1.6
Apache struts 2.0.9
Apache struts 2.3.24
Apache struts 2.0.8
Apache struts 2.0.4
Apache struts 2.1.8
Apache struts 2.1.8.1
Apache struts 2.2.1.1
Apache struts 2.3.28
Apache struts 2.0.5
Apache struts 2.3.15.1
Apache struts 2.0.11.2
Apache struts 2.2.3
Apache struts 2.3.24.1
Apache struts 2.0.7
Apache struts 2.3.3
Oracle siebel_e-billing 7.1
Apache struts 2.3.15.3
Apache struts 2.0.6
Apache struts 2.3.16.3
Apache struts 2.3.15.2
Apache struts 2.2.1
Apache struts 2.0.1
Apache struts 2.3.1
Apache struts 2.0.14
Apache struts 2.0.0
Apache struts 2.3.16.1

HTTP:CISCO:LINKSYS-APPLY-RCE - HTTP: Linksys E1500/E2500 apply.cgi Remote Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Cisco Linkys E1500/E2500 wi-fi routers. It is due to insufficient parameter validation. In a successful code injection attack, the behavior of the target host is entirely dependent on the intended function of the injected code and executes within the security context of the currently logged in user. If the attack is unsuccessful, the vulnerable application can terminate abnormally.

Supported On:

References:

bugtraq: 57760

HTTP:VLCFS1 - HTTP: VLC HTTPD Connection Header Format String1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against VLC HTTP Daemon. A successful attack allows an attacker to execute arbitrary commands with the privileges of the VLC application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

HTTP:SQL:INJ:WP-PHOTORACER - HTTP: Photoracer WordPress Plugin SQL Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the WordPress Photoracer Plugin. It is due to insufficient validation of user-supplied input. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

Supported On:

References:

bugtraq: 49328
url: http://palmonaz.altervista.org/z/photoracer/
url: http://www.wordpress.com

Affected Products:

Wordpress photoracer 1.0

HTTP:COLDFUSION:CFIDE-AUTHBYPAS - HTTP: Adobe ColdFusion CFIDE Authentication Bypass

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Adobe ColdFusion. A successful attack can lead to authentication bypass and information disclosure.

Supported On:

References:

bugtraq: 57164
cve: CVE-2013-0625
bugtraq: 57165
cve: CVE-2013-0629
cve: CVE-2013-0631
cve: CVE-2013-0632
bugtraq: 57330

Affected Products:

Adobe coldfusion 9.0
Adobe coldfusion 9.0.1
Adobe coldfusion 9.0.2

HTTP:SONICWALL-GMS-RCE1 - HTTP: SonicWALL GMS skipSessionCheck Remote Code Execution1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against SoniWALL GMS. A successful attack can lead to arbitrary code execution.

Supported On:

References:

Affected Products:

Supermicro intelligent_platform_management_firmware up to 2.26 (-:~-~-~-~x9_generation_motherboards~)
Supermicro intelligent_platform_management_firmware 2.24 (-:~-~-~-~x9_generation_motherboards~)

SMB:MICROSOFT-WS-TYPECONFUSION - SMB: Microsoft Windows Search Type Confusion

Severity: HIGH

Description:

A remote code execution vulnerability has been reported in the Windows Search service of Microsoft Windows. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in arbitrary code execution under the context of SYSTEM.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, mx-11.4, mx-16.1, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, isg-3.4.140032, isg-3.4.139899, vsrx-12.1, idp-5.0.110121210, j-series-9.5, idp-5.0.110130325, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 100034
cve: CVE-2017-8620
bugtraq: 101114
cve: CVE-2017-11771

HTTP:SYSAX-SERVER-BOF1 - HTTP: Sysax Multi Server Function Buffer Overflow1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Sysax Multi Server. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

HTTP:RUBY-GEM-SEMICOLON1 - HTTP: Ruby Gem Multiple Wrappers Command Injection1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Ruby Gem Minimagic, Curl and Fastreader 1.0.8 wrappers. A successful attack can lead to command injection and arbitrary code execution.

Supported On:

HTTP:ROBOHELP-SQL-INJ1 - HTTP: Adobe RoboHelp Server SQL Injection Vulnerability1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Adobe RoboHelp Server. A successful SQL injection attack can lead to arbitrary code execution.

Supported On:

HTTP:EXPLOIT:SYM-FILEUPLOAD - HTTP: Symantec Backup FileUpload

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Symantec Backup Exec System Recovery Manager. A malicious user can utilize this to upload arbitrary files onto the target server. Versions 7.0 and 7.0.1 are vulnerable.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 27487
url: http://downloads.securityfocus.com/vulnerabilities/exploits/27487.html
url: http://www.symantec.com/avcenter/security/Content/2008.02.04.html
cve: CVE-2008-0457

Affected Products:

Symantec backup_exec_system_recovery_manager 7.0
Symantec backup_exec_system_recovery_manager 7.0.1

HTTP:PHP:HPE-HPEINC-RFI - HTTP: Headline Portal Engine HPEInc Parameter Multiple Remote File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known remote file inclusion vulnerability against Headline Portal Engine. It is due to insufficient validation of user-supplied input. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary code execution and loss of sensitive information.

Supported On:

References:

bugtraq: 19663

Affected Products:

Headline headline_portal_engine 1.0
Headline headline_portal_engine 0.7.0
Headline headline_portal_engine 0.6.5
Headline headline_portal_engine 0.6.1

HTTP:EASYLAN-REG-BOF1 - HTTP: Easy LAN Folder Share .reg FIle Parsing Buffer Overflow1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Easy LAN Folder Share. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the targeted application.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

SMB:INTERNET-PRINT-SVC-INT-OF - SMB: Microsoft Windows Internet Printing Service Integer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Windows Internet Printing Service. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 31682
cve: CVE-2008-1446

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Microsoft windows_server_2003_x64 SP2
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003_x64 SP1
Microsoft windows_vista_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_xp_tablet_pc_edition SP1
Hp storage_management_appliance 2.1
Microsoft windows_2000_professional
Microsoft windows_2000_server SP1
Microsoft windows_2000_professional SP1
Microsoft windows_2000_advanced_server SP1
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_vista_x64_edition SP1
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_server
Microsoft windows_2000_advanced_server
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_server_2003_datacenter_edition_itanium SP1 Beta 1
Microsoft windows_server_2003_enterprise_edition_itanium SP1 Beta 1
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_2000_datacenter_server
Microsoft windows_vista SP1
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_server_2003_standard_edition
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_xp_professional_x64_edition
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_vista
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_2000_server SP2
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems

HTTP:XSS:CPANEL-MODULES - HTTP: cPanel Multiple Module Cross-Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross-site scripting vulnerability in cPanel. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

bugtraq: 10002
bugtraq: 21142
cve: CVE-2004-1875

Affected Products:

Cpanel cpanel 9.1.0 .0-R85

HTTP:STC:ACTIVEX:XML-CORE-3-0 - HTTP: Microsoft XML Core Services 3.0 ActiveX Control

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft XML Core Services 3.0. An attacker can create a malicious Web site containing dangerous ActiveX controls, which if accessed by a victim, allows the attacker to cause a buffer overflow and perform arbitrary remote code execution within the context of the user.

Supported On:

References:

url: http://www.microsoft.com/technet/security/Bulletin/MS08-069.mspx
cve: CVE-2008-4029
cve: CVE-2007-0099
cve: CVE-2008-4033

Affected Products:

Microsoft windows_7_for_32-bit_systems
Microsoft windows_7_for_x64-based_systems
Hp storage_management_appliance 2.1
Microsoft windows_server_2008_for_x64-based_systems R2
Microsoft xml_core_services 4.0
Nortel_networks contact_center_ncc
Avaya messaging_application_server
Nortel_networks self-service_wvads
Avaya messaging_application_server MM 3.0
Avaya messaging_application_server MM 3.1
Nortel_networks self-service_peri_workstation
Nortel_networks self-service_mps_100
Nortel_networks self-service_mps_500
Nortel_networks self-service_mps_1000
Nortel_networks self-service_speech_server
Nortel_networks callpilot 1005R
Nortel_networks callpilot 600R
Nortel_networks contact_center-tapi_server
Nortel_networks callpilot 703T
Nortel_networks contact_center_manager_server
Nortel_networks callpilot 201I
Microsoft xml_core_services 3.0
Nortel_networks self-service_peri_application
Avaya messaging_application_server MM 1.1
Nortel_networks contact_center_express
Nortel_networks contact_center_manager
Nortel_networks self-service_ccxml
Nortel_networks self_service_voicexml
Microsoft windows_server_2008_for_itanium-based_systems R2
Avaya messaging_application_server MM 2.0
Nortel_networks symposium_agent
Nortel_networks self-service-ccss7
Nortel_networks self-service_media_processing_server

HTTP:PHP:COOLFORUM-INJ - HTTP: CoolForum Script Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the PHP-based CoolForum Web forum software. Attackers can submit a malformed e-mail parameter to a form and inject malicious scripts.

Supported On:

HTTP:STC:HPE-LANG-INJ - HTTP: HPE Intelligent Management Center saveSelectedDevices Expression Language Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in HPE Intelligent Management Center. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary code under the security context of the SYSTEM user.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Hp intelligent_management_center 7.3

HTTP:PHP:CMD-INJ - HTTP: PHP Command Injection

Severity: HIGH

Description:

This signature detects Web downloads containing a potentially dangerous PHP script. A malicious site can exploit a known vulnerability in multiple PHP applications and execute arbitrary PHP commands on the victim's server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 34236
cve: CVE-2009-1151
bugtraq: 35467
url: http://www.juniper.net/security/auto/vulnerabilities/vuln35467.html
bugtraq: 30135
cve: CVE-2008-6825
url: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pandora_upload_exec.rb
cve: CVE-2010-4279
bugtraq: 63411
bugtraq: 51647
bugtraq: 55399
url: https://github.com/rapid7/metasploit-framework/pull/4076
cve: CVE-2013-0803
cve: CVE-2013-3629
url: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
url: http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/
url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
url: https://www.exploit-db.com/docs/27654.pdf
url: https://www.us-cert.gov/ncas/alerts/TA15-313A
url: http://traqproject.org/
url: http://secunia.com/advisories/49103/
cve: CVE-2012-1153
bugtraq: 51576
url: http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download
cve: CVE-2011-4825
cve: CVE-2013-3591
url: http://krebsonsecurity.com/tag/phoenix-exploit-kit/
url: https://www.pwnmalw.re/Exploit%20Pack/phoenix
cve: CVE-2011-4075
bugtraq: 50331
cve: CVE-2011-4828
url: http://xforce.iss.net/xforce/xfdb/71358
bugtraq: 50706
cve: CVE-2014-1691
url: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149
url: https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
url: http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html
bugtraq: 54464
url: http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la
bugtraq: 54292
url: http://karmainsecurity.com/KIS-2014-13
url: https://tuleap.net/plugins/tracker/?aid=7601
url: http://www.trixbox.org/
cve: CVE-2009-4140
bugtraq: 37314
cve: CVE-2013-1412
url: http://karmainsecurity.com/KIS-2013-01
url: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
bugtraq: 57603
url: http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/
cve: CVE-2014-6446
url: http://research.g0blin.co.uk/cve-2014-6446/
cve: CVE-2014-8791

Affected Products:

Phpmyadmin phpmyadmin 2.6.4 -Rc1
Phpmyadmin phpmyadmin 2.6.3 -Pl1
Phpmyadmin phpmyadmin 2.8.0 .4
Phpmyadmin phpmyadmin 2.11.1.2
Phpmyadmin phpmyadmin 2.7.0
Phpmyadmin phpmyadmin 2.11.1
Phpmyadmin phpmyadmin 2.11.1.1
Debian linux 4.0 Armel
Phpmyadmin phpmyadmin 2.11.2.1
Suse opensuse 10.3
Phpmyadmin phpmyadmin 2.11.2.2
Phpmyadmin phpmyadmin 2.7.0 -Pl1
Phpmyadmin phpmyadmin 2.5.5 Pl1
Phpmyadmin phpmyadmin 2.5.5
Phpmyadmin phpmyadmin 2.5.5 -Rc2
Phpmyadmin phpmyadmin 2.5.5 -Rc1
Phpmyadmin phpmyadmin 2.5.4
Phpmyadmin phpmyadmin 2.5.6 -Rc1
Phpmyadmin phpmyadmin 2.11.8
Phpmyadmin phpmyadmin 2.11.8.1
Phpmyadmin phpmyadmin 2.8.1
Phpmyadmin phpmyadmin 2.8.2
Phpmyadmin phpmyadmin 2.11.9 4
Phpmyadmin phpmyadmin 3.1.1 0
Mandriva corporate_server 4.0.0 X86 64
Phpmyadmin phpmyadmin 2.2.3
Phpmyadmin phpmyadmin 2.2.6
Phpmyadmin phpmyadmin 2.6.4 -Pl3
Phpmyadmin phpmyadmin 2.5.1
Phpmyadmin phpmyadmin 2.11.9.2
Debian linux 4.0 Alpha
Phpmyadmin phpmyadmin 2.6.1 Pl1
Phpmyadmin phpmyadmin 2.6.1
Phpmyadmin phpmyadmin 2.5.7
Phpmyadmin phpmyadmin 2.6.4 -Pl4
Phpmyadmin phpmyadmin 2.6.1 Pl3
Phpmyadmin phpmyadmin 2.6.2 -Rc1
Phpmyadmin phpmyadmin 2.8.0 .3
Phpmyadmin phpmyadmin 2.11.5.2
Debian linux 5.0
Debian linux 5.0 Alpha
Debian linux 5.0 Amd64
Debian linux 5.0 Arm
Debian linux 5.0 Hppa
Debian linux 5.0 Ia-32
Debian linux 5.0 Ia-64
Debian linux 5.0 M68k
Debian linux 5.0 Mips
Debian linux 5.0 Mipsel
Debian linux 5.0 Powerpc
Debian linux 5.0 S/390
Debian linux 5.0 Sparc
Suse opensuse 11.0
Mandriva corporate_server 4.0
Phpmyadmin phpmyadmin 3.0.0
Phpmyadmin phpmyadmin 3.0.1
Phpmyadmin phpmyadmin 2.6.0 .0Pl1
Phpmyadmin phpmyadmin 2.6.0 .0Pl2
Red_hat fedora 10
Phpmyadmin phpmyadmin 2.6.2
Gentoo linux
Phpmyadmin phpmyadmin 2.6.0 .0Pl3
Phpmyadmin phpmyadmin 2.8.0 .1
Phpmyadmin phpmyadmin 2.6.0
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Debian linux 4.0 M68k
Debian linux 4.0 Mips
Debian linux 4.0 Mipsel
Debian linux 4.0 Powerpc
Debian linux 4.0 S/390
Debian linux 4.0 Sparc
Debian linux 4.0
Phpmyadmin phpmyadmin 2.11.7
Phpmyadmin phpmyadmin 2.11.9.3
Phpmyadmin phpmyadmin 3.0.1.1
Phpmyadmin phpmyadmin 2.11.5.1
Phpmyadmin phpmyadmin 2.7.0 .0-Beta1
Phpmyadmin phpmyadmin 2.11.9
Phpmyadmin phpmyadmin 2.11.9 .1
Phpmyadmin phpmyadmin 2.6.1 -Rc1
Phpmyadmin phpmyadmin 2.11.4
Phpmyadmin phpmyadmin 2.7.0-Pl2
Phpmyadmin phpmyadmin 2.11.5
Phpmyadmin phpmyadmin 2.6.4 -Pl1
Red_hat fedora 9
Debian linux 5.0 Armel

HTTP:HPE-OO-DESERIALIZATION - HTTP: HPE Operations Orchestration central-remoting Insecure Deserialization

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in HPE Operations Orchestration. Successful exploitation could result in arbitrary code execution in the context of the application.

Supported On:

References:

cve: CVE-2017-8994

Affected Products:

Hp operations_orchestration 10.70

MS-RPC:LAN-WORM-SPREAD - MS-RPC: LAN Worm Spread Attempt

Severity: HIGH

Description:

This signature detects attempts to spread a worm over a Windows network by copying itself to the system path and scheduling a rundll32 job that executes the binary at a later date. The "Conficker" worm uses this mechanism to spread over LANs.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

url: http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0126.html
bugtraq: 31874
url: http://www.viruslist.com/en/alerts?alertid=203996089

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_xp_home
Nortel_networks contact_center-contact_recording
Nortel_networks contact_center-quality_monitoring
Nortel_networks self-service_mps_100
Nortel_networks self-service_mps_500
Microsoft windows_server_2003_x64 SP2
Nortel_networks self-service_speech_server
Nortel_networks contact_center-tapi_server
Nortel_networks contact_center_manager_server
Nortel_networks self-service_peri_application
Microsoft windows_vista_x64_edition SP1
Nortel_networks contact_center-cct
Nortel_networks self-service_ccxml
Nortel_networks self_service_voicexml
Microsoft windows_server_2008_datacenter_edition
Microsoft windows_server_2008_enterprise_edition
Microsoft windows_server_2008_standard_edition
Microsoft windows_vista Business SP1
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003_x64 SP1
Microsoft windows_vista_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_2000_professional
Avaya messaging_application_server
Nortel_networks self-service_wvads
Microsoft windows_2000_professional SP1
Avaya messaging_application_server MM 3.1
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Avaya messaging_application_server MM 1.1
Microsoft windows_vista Beta 2
Microsoft windows_xp_64-bit_edition
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_xp_home SP2
Nortel_networks multimedia_comm MCS5100
Nortel_networks self-service_mps_1000
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_xp_64-bit_edition_version_2003 SP1
Nortel_networks self-service_media_processing_server
Microsoft windows_2000_professional SP3
Microsoft windows_xp_64-bit_edition SP1
Nortel_networks contact_center_ncc
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Nortel_networks callpilot 703T
Nortel_networks callpilot 201I
Microsoft windows_vista Home Basic
Microsoft windows_server_2003_datacenter_edition SP1 Beta 1
Microsoft windows_server_2003_datacenter_edition_itanium SP1 Beta 1
Microsoft windows_server_2003_enterprise_edition_itanium SP1 Beta 1
Microsoft windows_server_2003_enterprise_edition SP1 Beta 1
Microsoft windows_server_2003_standard_edition SP1 Beta 1
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Avaya messaging_application_server MM 2.0
Microsoft windows_xp_gold
Nortel_networks self-service-ccss7
Microsoft windows_server_2003_standard_x64_edition
Nortel_networks contact_center-cct 5
Microsoft windows_xp_professional SP2
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_vista SP1
Nortel_networks self-service_peri_workstation
Nortel_networks symposium_agent
Nortel_networks callpilot 1005R
Nortel_networks callpilot 600R
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Nortel_networks callpilot 1002Rp
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_server_2003_standard_edition
Avaya messaging_application_server MM 3.0
Nortel_networks contact_center_express
Microsoft windows_server_2003_enterprise_x64_edition
Nortel_networks contact_center_manager
Nortel_networks enterprise_network_management_system
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2003_web_edition SP1 Beta 1
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_vista
Microsoft windows_vista Beta
Microsoft windows_2000_professional SP2
Microsoft windows_vista Beta 1
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_server_2008_for_itanium-based_systems
Microsoft windows_xp

HTTP:MISC:GE-MDS-PULSENET - HTTP: General Electric MDS PulseNET Hidden Support Account Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against GE MDS. A successful exploit can lead to remote code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2015-6456

Affected Products:

Ge mds_pulsenet 3.1.3

HTTP:YAHOO:ATTACHMENT-DOWNLOAD - HTTP: Yahoo Mail File Attachment Download

Severity: INFO

Description:

This signature detects files attached to an incoming Yahoo e-mail message. Yahoo Mail is a Web-based e-mail application that allows users to send and receive e-mails with attachments. This can be a violation of your organization's Acceptable Use Policy.

Supported On:

References:

url: http://www.yahoo.com/

WORM:CONFICKER:C-ACTIVITY - WORM: Conficker.C Activity

Severity: INFO

Description:

This signature detects traffic sent by the C variant of the Conficker/Downadup worm. The source address of the session may be infected with the worm and should be checked. Blocking using this signature has no effect in mitigating the spread of this worm. This signature can false positive on some Web browsers. To reduce the chance of false positives, it is recommended you apply this signature on outbound traffic going to the Internet and not on inbound traffic coming from the Internet.

Supported On:

References:

HTTP:PHP:OPEN-EDUCATION-SYS-RFI - HTTP: Open Educational System Remote File Inclusion

Severity: HIGH

Description:

This signature detects attempts to exploit a known remote file inclusion vulnerability against Open Educational System. It is due to insufficient validation of user-supplied input. A remote attacker can exploit this by enticing a target to open a malicious URL link. A successful attack can result in arbitrary code execution and loss of sensitive information.

Supported On:

References:

bugtraq: 38449
bugtraq: 22934
cve: CVE-2007-1446
cve: CVE-2010-2132

Affected Products:

Oes open_educational_system 0.1 beta

APP:SYMC:IM-MGR-INJ - APP: Symantec IM Manager Administrator Console Code Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Symantec IM Manager. A successful attack can lead to invalid memory access and arbitrary Code Injection.

Supported On:

References:

bugtraq: 49742
cve: CVE-2011-0554

Affected Products:

Symantec im_manager 8.4.9
Symantec im_manager 8.4.16
Symantec im_manager 8.4
Symantec im_manager 8.4.13
Symantec im_manager 8.4.8
Symantec im_manager 8.4.5
Symantec im_manager 8.4.5
Symantec im_manager 8.4.15
Symantec im_manager 8.4.1
Symantec im_manager 8.4.10
Symantec im_manager 8.4.11
Symantec im_manager 8.4.12
Symantec im_manager 8.4.17
Symantec im_manager 8.4.2
Symantec im_manager 8.4.15
Symantec im_manager 8.4.6
Symantec im_manager 8.4.7
Symantec im_manager 8.4.0

SPYWARE:AD:NABAZATOOLBAR - SPYWARE: Nabaza ToolBar

Severity: LOW

Description:

This signature detects the runtime behavior of the spyware Nabaza ToolBar, an adware application that generates pop-up advertisements. This spyware installs other spyware applications such as 180Solutions, ISTBar, SideFind, and PowerScan.

Supported On:

References:

HTTP:STC:DL:DS-ATOM-TABLE - HTTP: Microsoft DirectShow Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft DirectShow. A successful attack can allow attackers to execute remote code in the context of the current logged in user.

Supported On:

References:

cve: CVE-2009-1537
bugtraq: 35139

Affected Products:

Microsoft directx 8.1 a
Microsoft directx 9.0 c
Microsoft directx 8.1 b
Microsoft directx 9.0
Nortel_networks contact_center_ncc
Nortel_networks callpilot 703T
Nortel_networks self-service_peri_workstation
Nortel_networks self-service_wvads
Nortel_networks contact_center-contact_recording
Nortel_networks contact_center-quality_monitoring
Microsoft directx 9.0 a
Microsoft directx 8.1
Nortel_networks symposium_agent
Nortel_networks self-service_mps_500
Nortel_networks self-service_mps_1000
Nortel_networks self-service_speech_server
Nortel_networks tapi_desktop
Nortel_networks callpilot 1005R
Nortel_networks callpilot 600R
Nortel_networks contact_center-tapi_server
Nortel_networks contact_center-agent_desktop_display
Nortel_networks contact_center_manager_server
Nortel_networks callpilot 201I
Nortel_networks contact_center
Nortel_networks self-service
Microsoft directx 7.0
Nortel_networks self-service_peri_application
Nortel_networks contact_center-cct
Nortel_networks symposium_tapi_service_provider
Nortel_networks contact_center_express
Nortel_networks contact_center_multimedia
Nortel_networks contact_center_web_client
Nortel_networks contact_center_manager
Nortel_networks self-service_ccxml
Nortel_networks self_service_voicexml
Nortel_networks self-service_mps_100
Nortel_networks contact_center_administration_ccma 6.0
Nortel_networks contact_center_administration
Nortel_networks self-service-peri_application_rel 3.0
Nortel_networks self-service-ccss7
Nortel_networks callpilot 202I
Microsoft directx 9.0b
Nortel_networks self-service_media_processing_server
Nortel_networks contact_center-cct 5

HTTP:STC:ADOBE:PDF-FONT - HTTP: Adobe Acrobat PDF Font Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Adobe Acrobat PDF Font Processing. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 32100
cve: CVE-2008-4813

Affected Products:

Suse linux_personal 10.1
Suse linux_professional 10.1
Sun solaris 10 Sparc
Red_hat enterprise_linux_supplementary 5 Server
Suse open-enterprise-server 1
Nortel_networks self-service_mps_500
Nortel_networks self-service_mps_1000
Nortel_networks self-service_speech_server
Suse unitedlinux 1.0.0
Suse suse_linux_school_server_for_i386
Suse open-enterprise-server 9.0.0
Nortel_networks self-service_peri_application
Suse linux_personal 10.2 X86 64
Suse linux_professional 10.2 X86 64
Suse linux_professional 10.2
Adobe reader 7.0.9
Suse novell_linux_desktop_sdk 9.0.0
Suse opensuse 10.2
Adobe acrobat_professional 7.1
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Suse opensuse 10.3
Suse linux 10.1 X86
Suse linux 10.1 X86-64
Suse linux 10.1 Ppc
Suse linux 10.0 Ppc
Suse linux 10.0 X86
Suse linux 10.0 X86-64
Adobe reader 8.0
Adobe acrobat_professional 8.0
Adobe acrobat_standard 8.0
Adobe acrobat_3d 8.1.2
Suse suse_linux_open-xchange 4.1.0
Avaya interactive_response 2.0
Adobe reader 7.0.4
Suse suse_linux_enterprise 10 SP2 DEBUGINFO
Adobe reader 7.0.6
Adobe reader 7.0.7
Adobe reader 7.0.8
Nortel_networks self-service_peri_workstation
Suse suse_linux_enterprise_sdk 10
Adobe acrobat_standard 7.0.2
Adobe acrobat_professional 7.0.4
Adobe acrobat_professional 7.0.5
Adobe reader 7.0.0
Adobe reader 7.0.1
Suse suse_linux_enterprise_server 9 SP3
Adobe acrobat_professional 7.0.7
Adobe reader 7.0.2
Avaya interactive_response 3.0
Suse suse_linux_enterprise 10 SP1 DEBUGINFO
Suse opensuse 11.0
Suse opensuse 10.1
Suse suse_linux_openexchange_server 4.0.0
Suse suse_linux_retail_solution 8.0.0
Nortel_networks callpilot 703T
Nortel_networks callpilot 201I
Red_hat enterprise_linux_desktop_supplementary 5 Client
Adobe reader 7.0.3
Suse open-enterprise-server
Adobe reader 7.0.5
Suse novell_linux_desktop 9.0.0
Suse linux_personal 10.2
Gentoo linux
Nortel_networks self-service-ccss7
Adobe acrobat_standard 7.0.0
Adobe acrobat_standard 7.0.1
Suse linux 10.1 ppc64
Adobe acrobat_standard 7.0.3
Adobe acrobat_standard 7.0.4
Adobe acrobat_standard 7.0.5
Adobe acrobat_standard 7.0.8
Adobe acrobat_standard 7.0.6
Adobe acrobat_standard 7.0.7
Adobe acrobat_professional 7.0.0
Adobe acrobat_professional 7.0.1
Adobe acrobat_professional 7.0.2
Adobe acrobat_professional 7.0.3
Adobe reader 8.1.1
Adobe acrobat_professional 8.1.1
Adobe acrobat_professional 7.0.6
Adobe reader 8.1.2
Adobe acrobat_professional 7.0.8
Suse suse_linux_enterprise_server_rt_solution_10
Suse suse_linux_enterprise_server 10
Suse suse_linux_enterprise_desktop 10
Suse suse_linux_enterprise_desktop 10 SP2
Suse suse_linux_enterprise_server 10 SP2
Suse suse_linux_enterprise_server 9
Adobe reader 8.1.2 Security Update 1
Adobe acrobat_professional 8.1.2 Security Update 1
Adobe acrobat_professional 7.0.9
Nortel_networks callpilot 1005R
Nortel_networks callpilot 600R
Nortel_networks callpilot 1002Rp
Adobe reader 7.1
Adobe reader 8.1
Adobe acrobat_professional 8.1
Adobe acrobat_standard 8.1
Adobe acrobat_standard 7.1
Suse suse_linux_enterprise_desktop 10 SP1
Suse suse_linux_enterprise_server 10 SP1
Adobe acrobat_standard 8.1.1
Adobe acrobat_standard 8.1.2
Adobe acrobat_professional 8.1.2
Suse suse_linux_enterprise_sdk 10 SP1
Suse linux_professional 10.0.0
Red_hat enterprise_linux_es_extras 3
Red_hat enterprise_linux_es_extras 4

SPYWARE:LIGATS - SPYWARE: Ligats

Severity: HIGH

Description:

This signature detects the outbound Web activity of the spyware Ligats. The spyware Ligats is a Trojan data-miner tool that can be used by attackers to analyze your private data.

Supported On:

References:

url: http://www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99

APP:INTERSYSTEMS-CACHE-OF - APP: InterSystems Cache 'UtilConfigHome.csp' Remote Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in InterSystems Cache server. A successful attack could result in arbitrary code execution.

Supported On:

References:

bugtraq: 37177

Affected Products:

Intersystems cache 2009.1.1
Intersystems cache 2009.1.2
Intersystems cache 2009.1

HTTP:NOVELL:EDIR-DHOST - HTTP: Novell eDirectory dhost HTTPSTK Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Novell eDirectory dhost. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 37042
cve: CVE-2009-4654

Affected Products:

Novell edirectory 8.8 SP5
Novell edirectory 8.8 SP1
Novell edirectory 8.8 SP2
Novell edirectory 8.8 SP3
Novell edirectory 8.8 SP4
Novell edirectory 8.8 SP4 FTF1
Novell edirectory 8.8.1
Novell edirectory 8.8
Novell edirectory 8.8.2 Ftf2
Novell edirectory 8.8 SP3 FTF3
Novell edirectory 8.8.2

SMB:SMB20-NEG-DOS - SMB: SMB 2.0 Negotiate Denial Of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Windows 7 SMB layer. A successful attack can result in a denial-of-service condition.

Supported On:

References:

url: http://seclists.org/fulldisclosure/2009/Sep/0039.html
cve: CVE-2009-3103
bugtraq: 36299
cve: CVE-2009-2532

Affected Products:

Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista Business SP2
Microsoft windows_vista_business_64-bit_edition SP2
Microsoft windows_vista_enterprise_64-bit_edition SP2
Microsoft windows_vista Enterprise SP2
Microsoft windows_vista_home_basic_64-bit_edition SP2
Microsoft windows_vista Home Basic SP2
Microsoft windows_vista_home_premium_64-bit_edition SP2
Microsoft windows_vista Home Premium SP2
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_vista Ultimate SP2
Microsoft windows_vista_x64_edition SP2
Microsoft windows_server_2008_datacenter_edition SP2
Microsoft windows_server_2008_enterprise_edition SP2
Microsoft windows_server_2008_standard_edition SP2
Microsoft windows_server_2008_for_32-bit_systems SP2
Microsoft windows_server_2008_for_itanium-based_systems SP2
Microsoft windows_server_2008_for_x64-based_systems SP2
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_7 Beta
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_vista_x64_edition SP1
Microsoft windows_7 RC
Microsoft windows_server_2008_datacenter_edition
Microsoft windows_server_2008_enterprise_edition
Microsoft windows_server_2008_standard_edition
Microsoft windows_vista Business SP1
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_vista_x64_edition
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_server_2008_for_itanium-based_systems
Microsoft windows_vista Home Premium SP1

HTTP:CGI:MAGENTO-API-RCE - HTTP: Magento API unserialize Remote Code Execution

Severity: HIGH

Description:

A remote code execution vulnerability exists in the eCommerce platform Magento. Successful exploitation allows the attacker to write to arbitrary files.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2016-4010

Affected Products:

Magento magento 2.0.5

HTTP:STC:DL:VISIWAVE-SITE-BOF - HTTP: VisiWave Site Survey vwr File Processing Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in VisiWave Site Survey. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

References:

bugtraq: 47948
cve: CVE-2011-2386

Affected Products:

Azo_technologies,_inc. visiwave_site_survey 2.0.12

HTTP:PHP:TIKIWIKI-JHOT - HTTP: TikiWiki Jhot Remote Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against TikiWiki CRM/Groupware. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 19819
cve: CVE-2006-4602
url: http://secunia.com/advisories/21733/

Affected Products:

Tikiwiki_project tikiwiki 1.8.0
Tikiwiki_project tikiwiki 1.8.2
Tikiwiki_project tikiwiki 1.6.1
Tikiwiki_project tikiwiki 1.9.1 .1
Tikiwiki_project tikiwiki 1.9.1
Tikiwiki_project tikiwiki 1.9.3.2
Tikiwiki_project tikiwiki 1.9.3 1
Tikiwiki_project tikiwiki 1.9.2
Gentoo linux
Tikiwiki_project tikiwiki 1.7.9
Tikiwiki_project tikiwiki 1.7.8
Tikiwiki_project tikiwiki 1.9.4
Tikiwiki_project tikiwiki 1.7.6
Tikiwiki_project tikiwiki 1.7.5
Tikiwiki_project tikiwiki 1.7.4
Tikiwiki_project tikiwiki 1.7.3
Tikiwiki_project tikiwiki 1.7.2
Tikiwiki_project tikiwiki 1.7.1 .1
Tikiwiki_project tikiwiki 1.8.5
Tikiwiki_project tikiwiki 1.9.0 -rc3
Tikiwiki_project tikiwiki 1.9.0 -rc2
Tikiwiki_project tikiwiki 1.9.0 -rc1
Tikiwiki_project tikiwiki 1.9.0 -rc3.1
Tikiwiki_project tikiwiki 1.8.3
Tikiwiki_project tikiwiki 1.8.4
Tikiwiki_project tikiwiki 1.7.7
Tikiwiki_project tikiwiki 1.8.1

HTTP:STC:IE-STREAM-HDR - HTTP: Internet Explorer Stream Header

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer. An attacker can create a malicious Web site containing Web Pages with dangerous headers, which if accessed by a user, allows the attacker to gain control of the user's client browser.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2009-1547
bugtraq: 36622

Affected Products:

Microsoft internet_explorer 6.0
Microsoft internet_explorer 5.0.1
Microsoft internet_explorer 7.0
Nortel_networks contact_center_ncc
Nortel_networks self-service_peri_workstation
Microsoft internet_explorer 5.0.1 SP4
Nortel_networks self-service_mps_100
Nortel_networks self-service_mps_500
Nortel_networks self-service_mps_1000
Nortel_networks self-service_speech_server
Nortel_networks contact_center_multimedia_&_outbound 6.0
Microsoft internet_explorer 6.0 SP1
Nortel_networks callpilot 703T
Nortel_networks callpilot 702T
Microsoft internet_explorer 5.0.1 For Windows 98
Nortel_networks callpilot 200I
Microsoft internet_explorer 5.0.1 For Windows 2000
Microsoft internet_explorer 5.0.1 SP2
Microsoft internet_explorer 5.0.1 For Windows 95
Nortel_networks self-service_peri_application
Nortel_networks callpilot 1002Rp
Microsoft internet_explorer 5.0.1 For Windows NT 4.0
Nortel_networks contact_center_express
Nortel_networks contact_center_multimedia
Nortel_networks callpilot 201I
Nortel_networks contact_center_administration_ccma 7.0
Nortel_networks contact_center_administration_ccma 6.0
Nortel_networks contact_center_multimedia_&_outbound 7.0
Microsoft internet_explorer 5.0.1 SP3
Nortel_networks multimedia_comm_mas
Microsoft internet_explorer 5.0.1 SP1
Nortel_networks contact_center_manager_server

HTTP:STC:IE:CLIP-MEM - HTTP: Microsoft Internet Explorer Clip Memory Corruption Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 44536
cve: CVE-2010-3962

Affected Products:

Avaya meeting_exchange 5.2
Microsoft internet_explorer 7.0
Microsoft internet_explorer 6.0
Avaya callpilot 4.0
Avaya callpilot 5.0
Avaya communication_server_1000_telephony_manager 3.0
Avaya communication_server_1000_telephony_manager 4.0
Avaya messaging_application_server 5.2
Avaya meeting_exchange 5.0 SP1
Avaya meeting_exchange 5.1 SP1
Avaya meeting_exchange 5.0
Microsoft internet_explorer 6.0 SP1
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Microsoft internet_explorer 6.0 SP2
Avaya messaging_application_server 4
Avaya meeting_exchange 5.0.0.0.52
Avaya communication_server_1000_telephony_manager
Avaya aura_conferencing 6.0 Standard
Microsoft internet_explorer 8
Avaya meeting_exchange 5.1
Avaya callpilot
Avaya meeting_exchange 5.2 SP2
Avaya meeting_exchange 5.2 SP1

HTTP:STC:ADOBE:PS-TIFF-BOF - HTTP: Adobe Photoshop TIFF Parsing Heap Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Adobe Photoshop TIFF Parsing. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

APP:HPOV:UNAUTH-FILE-UPLOAD - APP: Hewlett-Packard Operations Manager Server Unauthorized File Upload

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in HP Operations Manager Server. An attacker can use default, unchangeable administrator credentials and upload and execute arbitrary files on the server.

Supported On:

References:

url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960
bugtraq: 37086
cve: CVE-2009-3843
cve: CVE-2009-4189
url: http://www-01.ibm.com/support/docview.wss?uid=swg21419179
cve: CVE-2009-4188
cve: CVE-2010-0557
cve: CVE-2010-4094
url: http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html
bugtraq: 38084
bugtraq: 36954
cve: CVE-2009-3548

Affected Products:

Hp operations_manager 8.1

HTTP:STC:DL:PUB-INDEXLIMITS - HTTP: Microsoft Publisher Invalid Index Limits Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Publisher. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2011-3410
bugtraq: 50943

Affected Products:

Microsoft publisher_2007 SP1
Microsoft publisher_2007
Microsoft publisher_2003 SP3
Microsoft publisher_2003
Microsoft publisher_2007_sp3
Microsoft publisher_2007 SP2
Microsoft publisher_2003 SP2

APP:CA:ARCSRV:D2D-AXIS2-RCE - APP: CA ARCserve D2D Axis2 Default Credentials Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in CA ARCserve D2D Axis2. A successful attack can leverage this vulnerability to upload a malicious web service to a target system, enabling arbitrary code execution within the security context of the server.

Supported On:

References:

bugtraq: 45625
cve: CVE-2010-0219

Affected Products:

Computer_associates arcserve_d2d r15

HTTP:STC:ADOBE:READER-U3D - HTTP: Adobe Reader U3D ShadingModifierBlock Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Reader. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

Affected Products:

Red_hat desktop_extras 4
Adobe reader 9.4.5
Adobe acrobat 9.3.4
Red_hat enterprise_linux_supplementary 5 Server
Red_hat enterprise_linux_desktop_supplementary 6
Red_hat enterprise_linux_server_supplementary 6
Red_hat enterprise_linux_workstation_supplementary 6
Adobe acrobat_professional 9.1.2
Adobe acrobat 9.3.4
Adobe acrobat 10.0.1
Adobe acrobat 9.4.2
Adobe acrobat_professional 10.0.1
Adobe acrobat_professional 9.4.2
Adobe acrobat_standard 10.0.1
Adobe acrobat_standard 9.4.2
Adobe reader 10.0.1
Adobe reader 9.4.2
Adobe acrobat_standard 9.3
Adobe acrobat 9.3
Adobe reader 9.3
Adobe acrobat_professional 9.3
Suse suse_linux_enterprise_desktop 10 SP4
Adobe reader 9.2
Adobe acrobat_professional 9.2
Adobe acrobat_standard 9.2
Red_hat enterprise_linux_extras 4
Adobe acrobat 9.3.3
Suse opensuse 11.4
Adobe acrobat 9.4.1
Adobe acrobat_professional 9.4.1
Adobe acrobat_standard 9.4.1
Adobe reader 9.4.1
Adobe reader 9.3.2
Adobe acrobat_standard 9.3.2
Adobe acrobat_professional 9.3.2
Adobe acrobat 9.3.2
Adobe reader 9
Adobe reader 9.4
Adobe reader 9.1.2
Adobe acrobat_standard 9.1.2
Adobe acrobat 9.1.1
Adobe acrobat_standard 9.4.5
Adobe acrobat_standard 9.4
Adobe acrobat_professional 9.4
Adobe acrobat_standard 9.3.4
Adobe acrobat_professional 9.3.4
Adobe reader 9.3.4
Adobe acrobat_standard 9.3.4
Adobe reader 9.3.4
Adobe acrobat_standard 9.4.3
Adobe acrobat 10.1.1
Adobe acrobat_professional 10.1.1
Adobe acrobat_standard 10.1.1
Adobe reader 10.1.1
Adobe acrobat 9.4.6
Adobe acrobat 9.4.4
Adobe acrobat_professional 9.4.6
Adobe acrobat 9.4.5
Adobe acrobat_standard 9.4.6
Adobe reader 9.4.6
Adobe reader 9.1
Adobe acrobat_professional 9.1
Adobe acrobat_standard 9.1
Adobe reader 9.3.3
Adobe acrobat 9.3.3
Adobe acrobat_professional 9.3.3
Adobe acrobat_standard 9.3.3
Adobe reader 9.3.1
Adobe acrobat_professional 9.3.1
Adobe acrobat_standard 9.3.1
Adobe reader 9.1.1
Red_hat enterprise_linux_desktop_supplementary 5 Client
Suse suse_linux_enterprise_desktop 11 SP1
Adobe reader 9.1.3
Adobe acrobat_professional 9.1.3
Adobe acrobat_standard 9.1.3
Gentoo linux
Adobe acrobat 9
Adobe acrobat 10.0.3
Adobe acrobat_professional 10.0.3
Adobe acrobat_standard 10.0.3
Adobe reader 10.0.3
Adobe reader 9.4.3
Adobe reader 9.4.4
Adobe acrobat 9.4
Adobe acrobat_standard 9.4.4
Adobe acrobat_professional 9.4.3
Adobe acrobat_professional 9.4.4
Adobe acrobat 9.4.3
Suse opensuse 11.3
Adobe acrobat 9.3.1
Adobe acrobat 10.0.2
Adobe acrobat_professional 10.0.2
Adobe acrobat_standard 10.0.2
Adobe reader 10.0.2
Red_hat enterprise_linux_ws_extras 4
Adobe acrobat 10.1
Adobe acrobat_professional 10.1
Adobe acrobat_standard 10.1
Adobe reader 10.1
Adobe acrobat 10.0
Adobe acrobat_professional 10.0
Adobe reader 10.0
Adobe acrobat_professional 9.4.5
Adobe acrobat 9.2
Red_hat enterprise_linux_es_extras 4
Red_hat enterprise_linux_as_extras 4

HTTP:ZENOSS-VER-CHECK-RCE - HTTP: Zenoss Core Version Check Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Zenoss. A successful exploit can lead to the remote code execution.

Supported On:

References:

cve: CVE-2014-6261

Affected Products:

Zenoss zenoss_core 5.0.0
Zenoss zenoss_core 2.4.0
Zenoss zenoss_core 3.0.3
Zenoss zenoss_core 2.5.2
Zenoss zenoss_core 2.4.5
Zenoss zenoss_core 4.2.0
Zenoss zenoss_core 3.2.0
Zenoss zenoss_core 3.0.0
Zenoss zenoss_core 4.2.3
Zenoss zenoss_core 3.2.1
Zenoss zenoss_core 3.0.1
Zenoss zenoss_core 2.5.0
Zenoss zenoss_core 3.1.0
Zenoss zenoss_core 3.0.2
Zenoss zenoss_core 2.5.1
Zenoss zenoss_core 4.2.5
Zenoss zenoss_core 4.2.4

DB:MYSQL:FS-REQUEST - SQL: Format String In Request

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against a MySQL database server. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 35609
cve: CVE-2009-2446

Affected Products:

Ubuntu ubuntu_linux 11.04 amd64
Ubuntu ubuntu_linux 11.04 ARM
Ubuntu ubuntu_linux 11.04 i386
Ubuntu ubuntu_linux 11.04 powerpc
Red_hat fedora 10
Mysql_ab mysql 4.1.11A
Red_hat enterprise_linux_desktop 5 Client
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Ubuntu ubuntu_linux 6.06 LTS I386
Ubuntu ubuntu_linux 6.06 LTS Amd64
Red_hat desktop 4.0.0
Mysql_ab mysql 4.1.4
Mysql_ab mysql 4.1.5
Mysql_ab mysql 4.0.4
Mysql_ab mysql 5.0.32
Mysql_ab mysql 4.0.6
Mysql_ab mysql 4.0.7
Mysql_ab mysql 4.0.8
Mysql_ab mysql 4.0.9
Mysql_ab mysql 5.0.4
Mysql_ab mysql 5.0.3
Mysql_ab mysql 5.0.2
Mysql_ab mysql 5.0.1
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Ubuntu ubuntu_linux 8.04 LTS Lpia
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Ubuntu ubuntu_linux 8.04 LTS Sparc
Debian linux 4.0 Armel
Suse opensuse 10.3
Mysql_ab mysql 5.0.75
Mysql_ab mysql 4.1.7
Apple mac_os_x_server 10.6
Mysql_ab mysql 4.0.20
Ubuntu ubuntu_linux 9.10 Amd64
Ubuntu ubuntu_linux 9.10 I386
Ubuntu ubuntu_linux 9.10 Lpia
Ubuntu ubuntu_linux 9.10 Powerpc
Ubuntu ubuntu_linux 9.10 Sparc
Rpath appliance_platform_linux_service 1
Mysql_ab mysql 5.0
Mysql_ab mysql 5.0.19
Mysql_ab mysql 4.1.15
Mysql_ab mysql 5.0.60
Mysql_ab mysql 4.1.24
Suse open-enterprise-server
Mysql_ab mysql 4.1.21
Mysql_ab mysql 5.0.37
Mandriva corporate_server 4.0.0 X86 64
Suse opensuse 11.0
Mysql_ab mysql 5.0.38
Mandriva enterprise_server 5 X86 64
Mysql_ab mysql 5.0.40
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Ubuntu ubuntu_linux 10.10 amd64
Ubuntu ubuntu_linux 10.10 powerpc
Apple mac_os_x_server 10.6.2
Mysql_ab mysql 5.0.44
Mysql_ab mysql 5.0.45
Mysql_ab mysql 4.1.13
Suse suse_linux_enterprise 10
Ubuntu ubuntu_linux 10.10 i386
Red_hat enterprise_linux_as 4.8.Z
Red_hat enterprise_linux_es 4.8.Z
Mandriva linux_mandrake 2008.1
Mandriva linux_mandrake 2008.1 X86 64
Mysql_ab mysql 4.0.19
Debian linux 4.0 M68k
Mysql_ab mysql 4.0.27
Mysql_ab mysql 4.0.26
Mysql_ab mysql 4.0.25
Mysql_ab mysql 4.1.19
Mysql_ab mysql 4.1.18
Mysql_ab mysql 5.0.21
Mysql_ab mysql 5.0.20
Mysql_ab mysql 4.1.16
Debian linux 4.0 Mipsel
Mandriva linux_mandrake 2009.0 X86 64
Mysql_ab mysql 4.1.0-0
Debian linux 5.0
Debian linux 5.0 Alpha
Debian linux 5.0 Amd64
Debian linux 5.0 Arm
Debian linux 5.0 Hppa
Debian linux 5.0 Ia-32
Suse suse_linux_enterprise 11
Debian linux 5.0 M68k
Debian linux 5.0 Mips
Debian linux 5.0 Mipsel
Debian linux 5.0 Powerpc
Debian linux 5.0 S/390
Debian linux 5.0 Sparc
Mysql_ab mysql 4.0.5
Rpath rpath_linux 1
Ubuntu ubuntu_linux 10.04 ARM
Ubuntu ubuntu_linux 10.10 ARM
Mysql_ab mysql 4.1.11
Mysql_ab mysql 4.1.12
Mysql_ab mysql 5.0.24
Mysql_ab mysql 4.0.24
Mysql_ab mysql 4.1.10A
Mysql_ab mysql 4.1.2
Mysql_ab mysql 4.1.1
Mysql_ab mysql 5.0.66
Ubuntu ubuntu_linux 9.04 I386
Ubuntu ubuntu_linux 9.04 Lpia
Ubuntu ubuntu_linux 9.04 Powerpc
Ubuntu ubuntu_linux 9.04 Sparc
Mysql_ab mysql 4.0.11
Mandriva corporate_server 4.0
Mysql_ab mysql 4.0.12
Mysql_ab mysql 4.0.21
Red_hat enterprise_linux_desktop_workstation 5 Client
Mysql_ab mysql 4.0.13
Mysql_ab mysql 4.0.17
Mysql_ab mysql 4.0.18
Mandriva linux_mandrake 2009.0
Suse novell_linux_desktop 9.0.0
Apple mac_os_x_server 10.6.1
Red_hat enterprise_linux 5 Server
Rpath rpath_linux 2
Mysql_ab mysql 4.1.23
Mysql_ab mysql 5.0.42
Gentoo linux
Mysql_ab mysql 4.0.14
Mysql_ab mysql 4.0.15
Mysql_ab mysql 4.1.0 .11
Debian linux 4.0 Alpha
Debian linux 4.0 Amd64
Debian linux 4.0 Arm
Debian linux 4.0 Hppa
Debian linux 4.0 Ia-32
Debian linux 4.0 Ia-64
Mysql_ab mysql 4.1.20
Debian linux 4.0 Mips
Mysql_ab mysql 5.0.36
Debian linux 4.0 Powerpc
Debian linux 4.0 S/390
Debian linux 4.0 Sparc
Debian linux 4.0
Ubuntu ubuntu_linux 11.10 amd64
Ubuntu ubuntu_linux 11.10 i386
Ubuntu ubuntu_linux 10.04 Amd64
Ubuntu ubuntu_linux 10.04 I386
Ubuntu ubuntu_linux 10.04 Powerpc
Ubuntu ubuntu_linux 10.04 Sparc
Mysql_ab mysql 5.0.51
Mysql_ab mysql 5.0.50
Mysql_ab mysql 5.0.49
Mysql_ab mysql 5.0.48
Mysql_ab mysql 5.0.47
Mysql_ab mysql 5.0.46
Ubuntu ubuntu_linux 8.10 Amd64
Ubuntu ubuntu_linux 8.10 I386
Ubuntu ubuntu_linux 8.10 Lpia
Mysql_ab mysql 5.0.33
Mysql_ab mysql 5.0.27
Mysql_ab mysql 5.0.39
Red_hat enterprise_linux_as 4
Red_hat enterprise_linux_es 4
Red_hat enterprise_linux_ws 4
Mysql_ab mysql 5.0.22
Suse suse_linux_enterprise_server 9
Ubuntu ubuntu_linux 8.10 Powerpc
Ubuntu ubuntu_linux 8.10 Sparc
Mandriva enterprise_server 5
Debian linux 5.0 Ia-64
Ubuntu ubuntu_linux 6.06 LTS Sparc
Ubuntu ubuntu_linux 9.04 Amd64
Mysql_ab mysql 4.0.2
Suse opensuse 11.1
Mysql_ab mysql 4.0.1
Mysql_ab mysql 4.0.3
Mysql_ab mysql 4.0.0 .0
Mysql_ab mysql 5.0.18
Rpath appliance_platform_linux_service 2
Mysql_ab mysql 5.0.26
Mysql_ab mysql 5.0.52
Mysql_ab mysql 4.0.10
Red_hat application_stack_v2
Debian linux 5.0 Armel
Mysql_ab mysql 4.0.23

SPYWARE:AD:FREESCRATCHANDWIN - SPYWARE: FreeScratchAndWin

Severity: LOW

Description:

This signature detects the runtime behavior of spyware FreeScratchAndWin, a browser hijacker application. This spyware hijacks the settings for the browser home page and search page, then displays pop-up advertisements. It also periodically downloads code from its controlling server and updates itself.

Supported On:

References:

DOS:NETDEV:D-LINK-DNS-320 - DOS: D-Link DNS-320 ShareCenter Denial of Service

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the D-Link DNS-320 ShareCenter network storage device. A successful exploitation can allow remote attackers to reload, reboot or shutdown the device, denying service to legitimate users.

Supported On:

References:

bugtraq: 50902
url: http://sharecenter.dlink.com/products/DNS-320

Affected Products:

D-link dns-320_sharecenter

HTTP:OVERFLOW:EFS-FILE-SERVE-BO - HTTP: EFS Software Easy File Sharing Web Server sendemail.ghp Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Easy File Sharing Web Server. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the current user.

Supported On:

HTTP:EK-ANGLER-OUTBOUND-COMM - HTTP: Angler Exploit Kit Outbound Communication Attempt

Severity: HIGH

Description:

This signature detects an attempt to download exploits from malicious exploit kits that may compromise a computer through various vendor vulnerabilities. Exploit kits are very specific type of toolkits which are being used by cyber criminals to deliver other pieces of malware.

Supported On:

HTTP:OVERFLOW:OVWEBHELP-BO - HTTP: HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against HP Openview. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits can completely compromise affected computers. Failed exploit attempts can result in a denial-of-service condition.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 37340
cve: CVE-2009-4178

Affected Products:

Hp openview_network_node_manager 7.53
Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.50
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.50.0 HP-UX 11.X
Hp openview_network_node_manager 7.50.0 Solaris
Hp openview_network_node_manager 7.50.0 Windows 2000/XP
Hp openview_network_node_manager 7.50.0 Linux
Hp openview_network_node_manager 7.50.0

HTTP:OVERFLOW:OPENVIEW-NNM-BO - HTTP: HP OpenView Network Node Manager Buffer Overflow

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the HP OpenView Network Node Manager (NNM). A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the system.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.5.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, isg-3.1.134269, vsrx-15.1

References:

bugtraq: 34134
cve: CVE-2008-0067
bugtraq: 33147
cve: CVE-2009-0920
bugtraq: 34294
bugtraq: 26741
cve: CVE-2007-6204
cve: CVE-2009-0921
bugtraq: 37347
cve: CVE-2009-0921
cve: CVE-2009-4179
url: http://dvlabs.tippingpoint.com/advisory/TPTI-09-12
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877

Affected Products:

Hp openview_network_node_manager 7.0.0.1
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53
Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.0.0.1 Solaris
Hp openview_network_node_manager 7.0.0.1 HP-UX 11.X
Hp openview_network_node_manager 7.01(IA)
Hp openview_network_node_manager 7.0.0.1 Windows 2000/XP

APP:HPOV:OID-OF - APP: HP OpenView NNM snmp.exe Long OID Parameter

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in the Hewlett Packard OpenView Network Node Manager (NNM). A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the system.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 37299
cve: CVE-2009-3849
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379
bugtraq: 40068
cve: CVE-2010-1552

Affected Products:

Hp openview_network_node_manager 7.53
Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.50
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.50.0 HP-UX 11.X
Hp openview_network_node_manager 7.50.0 Solaris
Hp openview_network_node_manager 7.50.0 Windows 2000/XP
Hp openview_network_node_manager 7.50.0 Linux
Hp openview_network_node_manager 7.50.0

HTTP:STC:DL:VBA-MEM-CORRUPT - HTTP: Microsoft Visual Basic for Applications Stack Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Visual Basic for Applications Library. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, j-series-9.5, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

url: http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx
bugtraq: 39931
cve: CVE-2010-0815

Affected Products:

Microsoft visual_basic_for_applications
Microsoft office_xp
Microsoft visual_basic_for_applications_sdk 6.0
Microsoft office_xp SP3
Microsoft office_2003 SP1
Microsoft office_2003 SP2
Microsoft office_2007 SP1
Microsoft office_xp SP1
Microsoft office_2003 SP3
Ibm catia_v5 Release 18
Ibm catia_v5 Release 18
Microsoft office_2007 SP2
Microsoft office_2007
Microsoft office_xp SP2
Microsoft office_2003
Ibm catia_v5 Release 19

HTTP:OVERFLOW:HP-POWERMAN-OF - HTTP: HP Power Manager Login Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Hewlett Packard Power Manager. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the Web server.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, isg-3.4.139899, mx-11.4, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.5.141818, idp-5.0.110121210, idp-5.0.110130325, srx-branch-19.1, idp-5.1.110170603, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 36933
cve: CVE-2010-4113
cve: CVE-2009-2685

Affected Products:

Hp power_manager 4.0Build10
Hp power_manager 4.0Build11
Hp power_manager 4.2.9
Hp power_manager 4.2.7
Hp power_manager

HTTP:STC:DL:PPT-PP7-MC - HTTP: Microsoft Office PowerPoint PP7 File Handling Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Office PowerPoint. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

References:

cve: CVE-2009-0225
bugtraq: 34880

Affected Products:

Microsoft powerpoint_2002
Microsoft powerpoint_2002 SP1
Microsoft powerpoint_2002 SP2
Microsoft powerpoint_2002 SP3

HTTP:STC:IE:LOCATION-X-DOMAIN - HTTP: Microsoft Internet Explorer Location Property Cross Domain Scripting

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. Successful exploitation can allow a remote attacker to execute arbitrary script code in a user's browser session in context of the trusted site and to access the content of a web page in a different domain.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

cve: CVE-2008-2947
bugtraq: 29960

Affected Products:

Microsoft internet_explorer 6.0
Hp storage_management_appliance 2.1
Microsoft internet_explorer 5.0.1
Microsoft internet_explorer 7.0
Nortel_networks self-service_peri_workstation
Nortel_networks media_processing_svr_100
Microsoft internet_explorer 5.0.1 SP4
Nortel_networks self-service_speech_server
Microsoft internet_explorer 6.0 SP1
Nortel_networks callpilot 703T
Nortel_networks callpilot 702T
Nortel_networks callpilot 201I
Nortel_networks callpilot 200I
Microsoft internet_explorer 5.0.1 For Windows 2000
Microsoft internet_explorer 5.0.1 SP2
Nortel_networks contact_center_manager_server
Nortel_networks self-service_peri_application
Nortel_networks callpilot 1002Rp
Nortel_networks contact_center_express
Nortel_networks contact_center_manager
Nortel_networks media_processing_svr_1000_rel 3.0
Nortel_networks media_processing_svr_500_rel 3.0
Microsoft internet_explorer 5.0.1 SP1
Microsoft internet_explorer 5.0.1 SP3

HTTP:TOMCAT:URL-ENC-DIRTRAV - HTTP: Apache Tomcat allowLinking URIencoding Directory Traversal Vulnerability

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Apache Tomcat.It is due to an input validation error in Tomcat that does not properly sanitize the URI for directory traversal patterns. A successful attack will allow the attacker to gain access to sensitive system files. This may lead to disclosure of sensitive information.

Supported On:

References:

bugtraq: 30633
cve: CVE-2008-2938

Affected Products:

Fujitsu interstage_application_server_enterprise_edition 9.0.0A
Sun jre_(solaris_production_release) 1.5.0 05
Sun jre_(windows_production_release) 1.5.0 05
Apache_software_foundation tomcat 5.5.15
Apache_software_foundation tomcat 5.5.16
Apache_software_foundation tomcat 5.5.18
Apache_software_foundation tomcat 5.5.19
Apache_software_foundation tomcat 5.5.26
Apache_software_foundation tomcat 5.5.21
Apache_software_foundation tomcat 5.5.22
Apache_software_foundation tomcat 5.5.23
Red_hat enterprise_linux_desktop 5 Client
Avaya aura_application_enablement_services 4.1
Apache_software_foundation tomcat 4.1.28
Apache_software_foundation tomcat 4.1.29
Apache_software_foundation tomcat 4.1.30
Sun jre_(linux_production_release) 1.4.2 06
Sun jre_(windows_production_release) 1.4.2 06
Sun jre_(solaris_production_release) 1.4.2 06
Apache_software_foundation tomcat 5.5.14
Apache_software_foundation tomcat 5.5.6
Sun jre_(linux_production_release) 1.4.2 13
Sun jre_(windows_production_release) 1.4.2 12
Fujitsu interstage_application_server_plus 7.0.1
Sun jre_(linux_production_release) 1.4.2 14
Apache_software_foundation tomcat 6.0.16
Apache_software_foundation tomcat 4.1.31
Red_hat application_server_as4 2
Red_hat application_server_es4 2
Red_hat application_server_ws4 2
Red_hat developer_suite_as4 3
Sun jre_(solaris_production_release) 1.6.0 03
Avaya meeting_exchange 5.0.0.0.52
Apache_software_foundation tomcat 4.1.32
Apache_software_foundation tomcat 6.0.12
Apache_software_foundation tomcat 6.0.13
Apache_software_foundation tomcat 4.1.34
Suse opensuse 10.3
Apache_software_foundation tomcat 5.5.20
Avaya aura_application_enablement_services 3.0
Sun jre_(windows_production_release) 1.5.0
Sun jre_(solaris_production_release) 1.5.0 01
Apache_software_foundation tomcat 4.1.3 Beta
Sun jre_(windows_production_release) 1.5.0 04
Sun jre_(windows_production_release) 1.4.2 14
Hp hp-ux B.11.31
Sun jre_(solaris_production_release) 1.5.0 10
Apache_software_foundation tomcat 5.5.1
Apache_software_foundation tomcat 5.5.0
Fujitsu interstage_application_server_standard-j_edition 8.0.0
Fujitsu interstage_application_server_enterprise_edition 6.0
Fujitsu interstage_application_server_enterprise_edition 7.0
Avaya aura_application_enablement_services 3.1.5
Fujitsu interstage_application_server_enterprise_edition 7.0.1
Fujitsu interstage_application_server_enterprise_edition 8.0.0
Fujitsu interstage_application_server_enterprise_edition 8.0.2
Fujitsu interstage_application_server_standard-j_edition 8.0.2
Fujitsu interstage_apworks_modelers-j_edition 6.0
Fujitsu interstage_apworks_modelers-j_edition 6.0A
Apache_software_foundation tomcat 4.1.3
Avaya aura_application_enablement_services 3.1
Fujitsu interstage_studio_enterprise_edition 9.0.0
Fujitsu interstage_studio_standard-j_edition 9.0.0
Fujitsu interstage_studio_enterprise_edition 8.0.1
Fujitsu interstage_studio_standard-j_edition 8.0.1
Fujitsu interstage_business_application_server_enterprise 8.0.0
Fujitsu interstage_job_workload_server 8.1.0
Sun jre_(linux_production_release) 1.4.2 01
Sun jre_(solaris_production_release) 1.4.2 01
Sun jre_(solaris_production_release) 1.4.2 02
Sun jre_(linux_production_release) 1.4.2
Sun jre_(windows_production_release) 1.4.2 02
Sun jre_(solaris_production_release) 1.5.0.0 09
Sun jre_(windows_production_release) 1.4.2
Avaya aura_application_enablement_services 3.1.3
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Sun jre_(windows_production_release) 1.4.2 17
Sun jre_(linux_production_release) 1.5.0 01
Sun jre_(linux_production_release) 1.5.0 02
Sun jre_(linux_production_release) 1.5.0 05
Avaya aura_application_enablement_services 3.1.4
Sun jre_(windows_production_release) 1.5.0 12
Sun jre_(windows_production_release) 1.5.0 11
Hp hp-ux B.11.11
Mandriva linux_mandrake 2008.1
Sun jre_(linux_production_release) 1.4.2 08
Sun jre_(linux_production_release) 1.5.0 .0 Beta
Hp hp-ux B.11.23
Apache_software_foundation tomcat 5.5.11
Sun jre_(linux_production_release) 1.6.0 01
Sun jre_(linux_production_release) 1.6.0 02
Sun jre_(solaris_production_release) 1.6.0 01
Sun jre_(solaris_production_release) 1.6.0 02
Sun jre_(windows_production_release) 1.6.0 01
Sun jre_(windows_production_release) 1.6.0 02
Avaya aura_application_enablement_services 4.2
Sun jre_(linux_production_release) 1.4.2 16
Sun jre_(solaris_production_release) 1.4.2 16
Sun jre_(windows_production_release) 1.4.2 16
Sun jre_(windows_production_release) 1.4.2 15
Fujitsu interstage_application_server_plus 7.0
Oracle oracle10g_application_server 10.1.3 .1.0
Sun jre_(linux_production_release) 1.5.0 12
Sun jre_(linux_production_release) 1.5.0 13
Sun jre_(solaris_production_release) 1.5.0 12
Sun jre_(solaris_production_release) 1.5.0 13
Sun jre_(windows_production_release) 1.4.2 18
Sun jre_(windows_production_release) 1.5.0 13
Fujitsu interstage_application_server_plus_developer 6.0
Apache_software_foundation tomcat 5.5.13
Sun jre_(windows_production_release) 1.5.0 14
Apache_software_foundation tomcat 4.1.0
Fujitsu interstage_application_server_enterprise_edition 9.0.0
Sun jre_(linux_production_release) 1.6.0 03
Apache_software_foundation tomcat 5.5.17
Sun jre_(windows_production_release) 1.6.0 03
Avaya aura_application_enablement_services 4.0.1
Apache_software_foundation tomcat 5.5.7
Apache_software_foundation tomcat 5.5.8
Apache_software_foundation tomcat 5.5.5
Apache_software_foundation tomcat 5.5.4
Apache_software_foundation tomcat 5.5.3
Apache_software_foundation tomcat 5.5.2
Fujitsu interstage_application_server_enterprise_edition 9.1.0
Fujitsu interstage_application_server_standard-j_edition 9.1.0
Avaya aura_application_enablement_services 4.0
Suse opensuse 11.0
Sun jre_(solaris_production_release) 1.4.2 05
Sun jre_(linux_production_release) 1.4.2 17
Sun jre_(solaris_production_release) 1.4.2 17
Fujitsu interstage_studio_enterprise_edition 9.1.0
Fujitsu interstage_studio_enterprise_edition 9.1.0 B
Fujitsu interstage_studio_standard-j_edition 9.1.0
Fujitsu interstage_studio_standard-j_edition 9.1.0 B
Sun jre_(solaris_production_release) 1.4.2 14
Sun jre_(solaris_production_release) 1.5.0
Apache_software_foundation tomcat 4.1.10
Apache_software_foundation tomcat 4.1.12
Mandriva linux_mandrake 2008.1 X86 64
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux 5 Server
Fujitsu interstage_application_server_standard-j_edition 9.0.0
Sun jre_(linux_production_release) 1.5.0 08
Sun jre_(linux_production_release) 1.5.0 09
Sun jre_(linux_production_release) 1.5.0 10
Sun jre_(linux_production_release) 1.4.2 03
Sun jre_(solaris_production_release) 1.4.2 03
Sun jre_(linux_production_release) 1.5.0 11
Apache_software_foundation tomcat 4.1.24
Sun jre_(linux_production_release) 1.4.2 04
Sun jre_(linux_production_release) 1.4.2 15
Apache_software_foundation tomcat 6.0.15
Sun jre_(solaris_production_release) 1.4.2 15
Apache_software_foundation tomcat 6.0.14
Sun jre_(solaris_production_release) 1.4.2 12
Sun jre_(linux_production_release) 1.4.2 12
Red_hat jboss_enterprise_application_platform 4.2.0
Red_hat jboss_enterprise_application_platform 4.2.0.CP03
Sun jre_(linux_production_release) 1.5.0 07
Red_hat jboss_enterprise_application_platform 4.2.0 EL5
Red_hat fedora 8
Sun jre_(windows_production_release) 1.5.0.0 09
Apache_software_foundation harmony 5.0 M8
Apache_software_foundation harmony 5.0 M7
Openjdk java 1.6.0
Suse opensuse 10.2
Sun jre_(windows_production_release) 1.4.2 04
Apache_software_foundation tomcat 6.0.9
Sun jre_(windows_production_release) 1.4.2 01
Sun jre_(linux_production_release) 1.4.2 09
Red_hat red_hat_network_satellite_server 5.0.0
Red_hat red_hat_network_satellite_server 5.0.1
Apache_software_foundation tomcat 5.5.10
Sun jre_(solaris_production_release) 1.4.2
Apache_software_foundation tomcat 5.5.12
Apache_software_foundation tomcat 6.0.8
Apache_software_foundation tomcat 5.5.9
Fujitsu interstage_application_server_standard-j_edition 9.0.0A
Apache_software_foundation tomcat 6.0.6
Apache_software_foundation tomcat 5.5.25
Apache_software_foundation tomcat 4.1.9 Beta
Sun jre_(solaris_production_release) 1.5.0 02
Sun jre_(windows_production_release) 1.4.2 03
Fujitsu interstage_application_server_plus 6.0
Suse suse_linux_enterprise_server 10 SP2
Sun jre_(windows_production_release) 1.5.0.0 07
Sun jre_(solaris_production_release) 1.5.0.0 07
Sun jre_(windows_production_release) 1.4.2 07
Sun jre_(windows_production_release) 1.5.0.0 08
Sun jre_(solaris_production_release) 1.5.0.0 08
Sun jre_(windows_production_release) 1.4.2 10
Sun jre_(windows_production_release) 1.4.2 11
Sun jre_(windows_production_release) 1.4.2 13
Sun jre_(linux_production_release) 1.5.0 14
Sun jre_(solaris_production_release) 1.5.0 14
Sun jre_(solaris_production_release) 1.4.2 08
Sun jre_(solaris_production_release) 1.4.2 04
Sun jre_(windows_production_release) 1.6.0 2
Sun jre_(solaris_production_release) 1.4.2 11
Sun jre_(solaris_production_release) 1.4.2 13
Avaya meeting_exchange 5.0
Avaya aura_application_enablement_services 3.1.6
Red_hat red_hat_network_satellite_(for_rhel_4) 5.1
Sun jre_(linux_production_release) 1.4.2 10
Sun jre_(linux_production_release) 1.4.2 11
Sun jre_(windows_production_release) 1.4.2 08
Sun jre_(linux_production_release) 1.4.2 10-B03
Apache_software_foundation tomcat 4.1.36
Apache_software_foundation tomcat 4.1.37
Apache_software_foundation tomcat 5.5.24
Apache_software_foundation tomcat 6.0.11
Sun jre_(windows_production_release) 1.4.2 09
Fujitsu interstage_application_server_plus_developer 7.0
Sun jre_(linux_production_release) 1.5.0 04
Sun jre_(linux_production_release) 1.4.2 02
Avaya meeting_exchange-enterprise_edition
Sun jre_(windows_production_release) 1.4.2 05
Sun jre_(linux_production_release) 1.4.2 05
Apache_software_foundation tomcat 6.0.0
Apple mac_os_x_server 10.5.5
Avaya aura_application_enablement_services 4.2.1
Sun jre_(solaris_production_release) 1.5.0 11
Fujitsu interstage_apworks_modelers-j_edition 7.0
Sun jre_(solaris_production_release) 1.4.2 07
Sun jre_(linux_production_release) 1.4.2 07
Red_hat jboss_enterprise_application_platform 4.2.0 EL4
Sun jre_(solaris_production_release) 1.6.0 2
Sun jre_(linux_production_release) 1.4.2 18
Sun jre_(linux_production_release) 1.5.0
Sun jre_(solaris_production_release) 1.4.2 09
Sun jre_(windows_production_release) 1.5.0 06
Sun jre_(solaris_production_release) 1.5.0 06
Sun jre_(linux_production_release) 1.5.0 06
Sun jre_(solaris_production_release) 1.4.2 18
Sun jre_(linux_production_release) 1.5.0 03
Sun jre_(solaris_production_release) 1.4.2 10
Apache_software_foundation tomcat 6.0.10
Fujitsu interstage_application_server_enterprise_edition 9.1.0B
Sun jre_(windows_production_release) 1.5.0 10
Apache_software_foundation tomcat 6.0.7
Fujitsu interstage_application_server_standard-j_edition 9.1.0B
Apache_software_foundation tomcat 6.0.5
Apache_software_foundation tomcat 6.0.4
Apache_software_foundation tomcat 6.0.3
Apache_software_foundation tomcat 6.0.2
Apache_software_foundation tomcat 6.0.1
Sun jre_(windows_production_release) 1.5.0 01
Novell zenworks_linux_management 7.3
Sun jre_(windows_production_release) 1.5.0 02
Sun jre_(solaris_production_release) 1.5.0 03
Red_hat fedora 9
Wikid_systems wikid_server 3.0.4
Sun jre_(solaris_production_release) 1.5.0 04
Sun jre_(windows_production_release) 1.5.0 03

DOS:NETDEV:WEBJET-FRAMEWORK - DOS: HP Web JetAdmin Framework Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in HP Web JetAdmin service. Web JetAdmin version 6.5 is vulnerable. Attackers can access sensitive configuration information.

Supported On:

References:

Affected Products:

Hp web_jetadmin 7.0.0
Hp web_jetadmin 6.5.0

HTTP:XSS:WP-FANCYBOX-PLUGIN - HTTP: WordPress Fancybox Plugin Cross Site Scripting

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the WordPress Fancybox Plugin. A remote unauthenticated attacker can leverage the vulnerability to achieve cross-site scripting attacks.

Supported On:

HTTP:IIS:ASP-FORMS-DISCLOSURE - HTTP: ASP.NET Forms Authentication Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against ASP.NET. Remote authenticated attackers can obtain access to arbitrary user accounts via a crafted username.

Supported On:

References:

bugtraq: 51201
cve: CVE-2011-3416

Affected Products:

Avaya meeting_exchange 5.2
Microsoft .net_framework 2.0
Microsoft .net_framework 1.1 SP2
Microsoft .net_framework 4.0
Microsoft .net_framework 1.1 SP3
Avaya callpilot 4.0
Avaya callpilot 5.0
Avaya communication_server_1000_telephony_manager 3.0
Avaya communication_server_1000_telephony_manager 4.0
Avaya messaging_application_server 5.2
Microsoft .net_framework 2.0 SP2
Avaya meeting_exchange 5.0 SP1
Avaya meeting_exchange 5.0 SP2
Avaya meeting_exchange 5.1 SP1
Avaya meeting_exchange 5.0
Microsoft .net_framework 3.5
Microsoft .net_framework 1.1
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Microsoft .net_framework 2.0 SP1
Avaya meeting_exchange 5.0.0.0.52
Microsoft .net_framework 1.1 SP1
Avaya aura_conferencing 6.0 Standard
Microsoft .net_framework 3.5 SP1
Avaya meeting_exchange 5.1
Avaya meeting_exchange 5.2 SP2
Avaya meeting_exchange 5.2 SP1

HTTP:STC:DL:MS-OBJ-PACKAGER-RCE - HTTP: Microsoft Windows Object Packager ClickOnce Object Handling Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Windows Object Packager. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, srx-branch-19.1, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, j-series-9.5, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

bugtraq: 51284
cve: CVE-2012-0013

Affected Products:

Microsoft windows_xp_professional
Microsoft windows_7_for_32-bit_systems
Microsoft windows_7_for_x64-based_systems
Microsoft windows_7_for_itanium-based_systems
Microsoft windows_server_2008_standard_edition - Gold Web
Microsoft windows_xp_home
Microsoft windows_vista_business_64-bit_edition SP2
Microsoft windows_vista_enterprise_64-bit_edition SP2
Microsoft windows_vista Enterprise SP2
Microsoft windows_vista_home_basic_64-bit_edition SP2
Microsoft windows_vista Home Basic SP2
Microsoft windows_vista_home_premium_64-bit_edition SP2
Microsoft windows_vista Home Premium SP2
Microsoft windows_vista SP2
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_server_2008_standard_edition X64
Microsoft windows_vista_x64_edition SP2
Microsoft windows_server_2008_datacenter_edition SP2
Microsoft windows_server_2008_enterprise_edition SP2
Microsoft windows_7_home_premium - Sp1 X32
Microsoft windows_7_home_premium - Sp1 X64
Microsoft windows_server_2008_for_32-bit_systems SP2
Microsoft windows_server_2008_for_itanium-based_systems SP2
Microsoft windows_server_2008_for_x64-based_systems SP2
Microsoft windows_server_2003 R2 Platfom SDK
Microsoft windows_server_2003_r2_datacenter_edition
Microsoft windows_server_2008_standard_edition - Gold Standard
Microsoft windows_server_2003_x64 SP2
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003 R2 X64
Avaya meeting_exchange 5.0.0.0.52
Microsoft windows_7 RC
Microsoft windows_server_2008_standard_edition - Gold Itanium
Microsoft windows_server_2003 R2 Enterprise
Microsoft windows_server_2008_standard_edition R2
Microsoft windows_server_2008 - Sp2 Enterprise X64
Microsoft windows_server_2008_standard_edition Release Candidate
Microsoft windows_server_2008_enterprise_edition Release Candidate
Microsoft windows_server_2008_standard_edition
Microsoft windows_vista Home Basic SP1
Microsoft windows_server_2003 R2
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_7_xp_mode
Microsoft windows_server_2003_x64 SP1
Microsoft windows_server_2003 Sp2 Storage
Avaya aura_conferencing 6.0 Standard
Microsoft windows_server_2003_enterprise_edition_itanium SP2
Microsoft windows_server_2003_enterprise_edition_itanium Sp2 Itanium
Microsoft windows_vista_home_basic_64-bit_edition Sp1 X64
Microsoft windows_vista_home_basic_64-bit_edition Sp2 X64
Microsoft windows_server_2003 R2 X64-Enterprise
Microsoft windows_vista_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_vista Ultimate SP2
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Microsoft windows_xp_tablet_pc_edition SP1
Avaya meeting_exchange 5.2
Microsoft windows_server_2008_r2_datacenter
Microsoft windows_server_2003_terminal_services
Microsoft windows_server_2008_standard_edition SP2
Microsoft windows_server_2003 R2 Standard
Microsoft windows_server_2003 Sp2 Datacenter
Avaya callpilot 4.0
Avaya callpilot 5.0
Avaya communication_server_1000_telephony_manager 3.0
Avaya communication_server_1000_telephony_manager 4.0
Avaya messaging_application_server 5.2
Microsoft windows_vista_business_64-bit_edition X86-Enterprise
Microsoft windows_vista_business_64-bit_edition X86-Ultimate
Microsoft windows_vista_business_64-bit_edition Sp1 X64-Enterprise
Microsoft windows_server_2003_r2_enterprise_edition
Microsoft windows_server_2003_r2_enterprise_edition_sp1
Microsoft windows_server_2003_r2_enterprise_edition_sp2
Microsoft windows_server_2008_standard_edition - Gold Datacenter
Microsoft windows_server_2003_r2_datacenter_edition_sp1
Microsoft windows_server_2003_r2_datacenter_edition_sp2
Microsoft windows_server_2003_r2_standard_edition
Microsoft windows_server_2003_r2_web_edition
Microsoft windows_server_2008_standard_edition - Gold
Avaya meeting_exchange 5.0 SP1
Avaya meeting_exchange 5.0 SP2
Avaya meeting_exchange 5.1 SP1
Microsoft windows_server_2003 SP1 Platform SDK
Microsoft windows_server_2003 R2 Datacenter
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_vista_x64_edition SP1
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_server_2003 R2 X64-Standard
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional_x64_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_server_2003 R2 X64-Datacenter
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_server_2008_r2_x64
Microsoft windows_server_2008_r2_itanium
Avaya meeting_exchange 5.1
Microsoft windows_server_2008 SP2 Beta
Avaya meeting_exchange 5.2 SP2
Microsoft windows 7
Microsoft windows_server_2008_r2_itanium SP1
Microsoft windows_server_2008_r2_x64 SP1
Microsoft windows_7_for_32-bit_systems SP1
Microsoft windows_7_for_itanium-based_systems SP1
Microsoft windows_server_2008_standard_edition - Gold Storage
Microsoft windows_server_2008_standard_edition - Sp2 Web
Microsoft windows_server_2003 R2 Compute Cluster
Microsoft windows_server_2008_for_x64-based_systems R2
Microsoft windows_server_2008_for_itanium-based_systems R2
Microsoft windows_xp_tablet_pc_edition SP2
Avaya meeting_exchange 5.2 SP1
Microsoft windows_server_2008 R2 SP1
Avaya meeting_exchange 5.0
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Microsoft windows_server_2003 R2 Storage
Microsoft windows_server_2003 Sp2 Enterprise
Microsoft windows_server_2003_enterprise_edition_itanium SP1 Beta 1
Microsoft windows_server_2008_standard_edition R2 SP1
Microsoft windows_server_2003_standard_edition SP1 Beta 1
Microsoft windows_server_2003_web_edition SP1 Beta 1
Microsoft windows_server_2003 SP2
Microsoft windows_server_2003 Sp1 Compute Cluster
Microsoft windows_7_for_x64-based_systems SP1
Microsoft windows_server_2008_standard_edition - Sp2 Storage
Microsoft windows_server_2003 Sp1 Storage
Microsoft windows_vista Home Premium SP1
Microsoft windows_server_2003 Sp1 X64
Microsoft windows_server_2003 Sp2 X64
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_vista_business_64-bit_edition X64-Ultimate
Microsoft windows_vista SP1
Microsoft windows_7_home_premium
Microsoft windows_7_starter
Microsoft windows_7_professional
Microsoft windows_7_ultimate
Microsoft windows_server_2008_r2_standard_edition
Microsoft windows_server_2008_standard_edition - Gold Hpc
Microsoft windows_vista_business_64-bit_edition Sp1 X64-Home Premium
Microsoft windows_server_2003 Sp2 Compute Cluster
Microsoft windows_vista_business_64-bit_edition Sp1 X64-Ultimate
Microsoft windows_vista_business_64-bit_edition Sp1 X86-Enterprise
Microsoft windows_server_2008_r2_enterprise_edition
Microsoft windows_vista_business_64-bit_edition Sp1 X86-Ultimate
Microsoft windows_server_2008_standard_edition Itanium
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_vista Enterprise
Microsoft windows_server_2003_standard_edition
Microsoft windows_server_2008_standard_edition - Gold Enterprise
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_server_2003 SP1
Microsoft windows_server_2008_for_itanium-based_systems
Microsoft windows_server 2008 R2
Microsoft windows_xp_professional_x64_edition
Microsoft windows_server_2008_r2_for_x64-based_systems SP1
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_server_2008_datacenter_edition
Microsoft windows_server_2008_enterprise_edition
Microsoft windows_vista_business_64-bit_edition X64-Enterprise
Microsoft windows_server_2008_datacenter_edition Release Candidate
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_server_2008_standard_edition - Sp2 Hpc
Microsoft windows_server_2008_r2_datacenter SP1
Microsoft windows_xp

HTTP:MISC:HPE-FLEXFILEUPLOAD - HTTP: HPE Intelligent Management Center PLAT flexFileUpload Arbitrary File Upload

Severity: HIGH

Description:

An arbitrary file upload vulnerability exists in HPE Intelligent Management Center PLAT. A remote authenticated attacker could exploit this vulnerability by sending a crafted packet to a vulnerable server. Successful exploitation could lead to arbitrary code execution in the context of SYSTEM or root.

Supported On:

References:

cve: CVE-2017-8961

Affected Products:

Hp intelligent_management_center 7.3

HTTP:XSS:SHAREPOINT-INPLVIEW - HTTP: Microsoft SharePoint Server inplview.aspx Cross Site Scripting

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known cross site scripting vulnerability in Microsoft SharePoint Server. It is due to insufficient validation of user-supplied input. Attackers can steal cookie-based authentication credentials and launch other attacks.

Supported On:

References:

cve: CVE-2012-0017
bugtraq: 51928

Affected Products:

Microsoft sharepoint_foundation_2010 SP1
Microsoft sharepoint_foundation_2010
Microsoft office_sharepoint_server_2010
Microsoft office_sharepoint_server_2010 SP1

HTTP:XSS:SHAREPOINT-THEMEWEB - HTTP: Microsoft SharePoint Server themeweb.aspx Cross Site Scripting

Severity: HIGH

Description:

Supported On:

References:

bugtraq: 51934
cve: CVE-2012-0144

Affected Products:

Microsoft sharepoint_foundation_2010 SP1
Microsoft sharepoint_foundation_2010
Microsoft office_sharepoint_server_2010
Microsoft office_sharepoint_server_2010 SP1

HTTP:APACHE:STRUTS2-OGNL-INJ - HTTP: Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Apache Struts 2. A successful attack will result in the execution of arbitrary expressions in the security context of the affected web application server.

Supported On:

References:

url: http://struts.apache.org/2.x/docs/s2-007.html
cve: CVE-2012-0391
bugtraq: 51257
cve: CVE-2013-4212
cve: CVE-2012-0393
cve: CVE-2017-9791
url: https://www.seebug.org/vuldb/ssvid-91389
cve: CVE-2016-3081
cve: CVE-2012-0394
url: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

Affected Products:

Apache_software_foundation struts 2.1.8
Apache_software_foundation struts 2.1.8.1
Apache_software_foundation struts 2.2.0
Apache_software_foundation struts 2.2.3.1
Apache_software_foundation struts 2.0.9
Apache_software_foundation struts 2.0.8
Apache_software_foundation struts 2.0.7
Apache_software_foundation struts 2.0.6
Apache_software_foundation struts 2.0.5
Apache_software_foundation struts 2.0.4
Apache_software_foundation struts 2.0.3
Apache_software_foundation struts 2.0.2
Apache_software_foundation struts 2.0.1
Apache_software_foundation struts 2.0.10
Apache_software_foundation struts 2.0.11
Apache_software_foundation struts 2.0.13
Apache_software_foundation struts 2.0.14
Apache_software_foundation struts 2.1.2
Apache_software_foundation struts 2.1.3
Apache_software_foundation struts 2.1.4
Apache_software_foundation struts 2.0.11.1
Apache_software_foundation struts 2.1.6
Apache_software_foundation struts 2.1.8
Apache_software_foundation struts 2.1.8.1
Apache_software_foundation struts 2.2.1
Apache_software_foundation struts 2.1.1
Apache_software_foundation struts 2.2.1.1
Apache_software_foundation struts 2.2.3
Apache_software_foundation struts 2.1.5
Apache_software_foundation struts 2.0.11 .2
Apache_software_foundation struts 2.0.12
Apache_software_foundation struts 2.0.0
Apache_software_foundation struts 2.1.0

HTTP:ORACLE:OIM-DFAULT-CRED-ID - HTTP: Oracle Identity Manager CVE-2017-10151 Default Credentials

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known authentication weakness vulnerability in Oracle Identity Manager. A remote attacker can exploit this vulnerability by authenticating to the system using the default credentials. Successful exploitation results in the attacker gaining administrator level privileges to the target system.

Supported On:

References:

bugtraq: 101619
cve: CVE-2017-10151

Affected Products:

Oracle identity_manager 11.1.2.3
Oracle identity_manager 12.2.1.3
Oracle identity_manager 11.1.1.9
Oracle identity_manager 11.1.2.2.0
Oracle identity_manager 11.1.2.1.0
Oracle identity_manager 11.1.1.7

HTTP:STC:DL:PPT-TEXTBYTESATM-BO - HTTP: Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft PowerPoint Viewer. An attacker can create a malicious Web site containing Web pages with dangerous Powerpoint files, which if accessed by a victim, allows the attacker to upload and download files from the victim's computer, potentially resulting in arbitrary program execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

url: http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/
bugtraq: 38107
cve: CVE-2010-0033
bugtraq: 38108
cve: CVE-2010-0034

Affected Products:

Microsoft powerpoint_2003 SP1
Microsoft powerpoint_2003 SP2
Microsoft powerpoint_2003
Microsoft powerpoint_2003 SP3

HTTP:MISC:MUL-VENDORS-CSRF - HTTP: Multiple Vendors Cross Site Request Forgery

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Vendors. A successful attack can lead to cross-site request forgery attacks and unauthorized session hijack.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

HTTP:STC:IE:OBJ-DEL-UAF - HTTP: Microsoft Internet Explorer Unsafe Object Deletion Use-after-Free

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, mx-11.4, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, isg-3.4.139899, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, idp-4.0.110090831, isg-3.4.0

References:

cve: CVE-2013-3143
bugtraq: 60962

Affected Products:

Microsoft internet_explorer 10
Microsoft internet_explorer 9

HTTP:MISC:MULTIPLE-PRDCT-CSRF - HTTP: MULTIPLE PRODUCTS CSRF

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Vendors. A successful exploit can lead to information disclosure.

Supported On:

HTTP:MISC:MULTI-PRDCTS-CSRF-1 - HTTP: Multiple Products Cross-Site Request Forgery 1

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple vendors. A successful exploit can lead to Cross-Site Request Forgery.

Supported On:

HTTP:XSS:OUTLOOK-WEB - HTTP: Microsoft Exchange OWA XSS and Spoofing

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in Microsoft Exchange Outlook Web Access (OWA). An attacker can send a malformed e-mail, which if accessed by a victim using OWA, causes the affected system to run a malicious script in the context of the user's session.

Supported On:

References:

bugtraq: 10902
cve: CVE-2004-0203

Affected Products:

Microsoft exchange_server 5.5 SP4

HTTP:XSS:OPENFIRE-USER-CREATE - HTTP: Ignite Realtime Openfire user-create.jsp Cross-Site Request Forgery

Severity: HIGH

Description:

A cross-site request forgery vulnerability has been reported in Openfire's user-create.jsp script. The vulnerability is due to insufficient CSRF protections. A remote, unauthenticated attacker can exploit this vulnerability by enticing a user with administrator privileges to visit a page which sends a request to user-create.jsp. Successful exploitation can result in adding arbitrary users.

Supported On:

References:

cve: CVE-2015-6973
url: https://infosec.cert-pa.it/cve-2015-6973.html

Affected Products:

Igniterealtime openfire 3.10.2

APP:HPOV:NNM-GETNNMDATA-OF - APP: HP OpenView Network Node Manager getnnmdata.exe Parameter Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the HP OpenView Network Node Manager. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

url: http://www.openview.hp.com/products/nnm/
bugtraq: 40072
bugtraq: 40070
bugtraq: 40071
cve: CVE-2010-1553
cve: CVE-2010-1554
cve: CVE-2010-1555
url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379

Affected Products:

Hp openview_network_node_manager 7.01
Hp openview_network_node_manager 7.51
Hp openview_network_node_manager 7.53

HTTP:COLDFUSION:CVE-2013-3336 - HTTP: Adobe ColdFusion CVE-2013-3336 Information Disclosure

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability in the Adobe ColdFusion. A successful attack can lead to unauthorized information disclosure.

Supported On:

References:

bugtraq: 59773
cve: CVE-2013-3336

Affected Products:

Adobe coldfusion 10.0
Adobe coldfusion 9.0
Adobe coldfusion 9.0.1
Adobe coldfusion 9.0.2

HTTP:MISC:HPE-OO-RCE - HTTP: HPE Operations Orchestration Remote Code Execution

Severity: HIGH

Description:

An insecure deserialization vulnerability has been reported in HPE Operations Orchestration.A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted serialized object. Successful exploitation results in arbitrary code execution under the context of the SYSTEM or root user.

Supported On:

References:

cve: CVE-2017-8994
url: http://www.zerodayinitiative.com/advisories/zdi-17-716/
url: https://support.hpe.com/hpsc/doc/public/display?docid=emr_na-hpesbgn03767en_us
bugtraq: 100588

Affected Products:

Hp operations_orchestration 10.70

HTTP:EK-MULTIPLE-FLASH - HTTP: Multiple Exploit Kit Flash File Download

Severity: HIGH

Description:

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

APP:MISC:SAP-NETWEAVER-SOAP-RCE - APP: SAP NetWeaver Unsafe SOAP Requests

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerabilities against SAP Netweaver's SOAP Interface. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

HTTP:MISC:MULTIPLE-VENDORS-CSRF - HTTP: Multiple Products Cross Site Request Forgery

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Vendors. A successful attack can lead to cross-site request forgery attacks and unauthorized session hijack.

Supported On:

HTTP:MANAGENGINE-INF-DISC - HTTP: ManageEngine Multiple Products FailOverHelperServlet copyfile Information Disclosure

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against ManageEngine OpManager, Applications Manager and IT360. A successful attack can lead to unauthorized information disclosure and loss of sensitive information.

Supported On:

References:

cve: CVE-2014-7863

HTTP:STC:DL:MAL-MOVIEMAKER - HTTP: Download of Malicious MovieMaker File

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft MovieMaker. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

cve: CVE-2010-2564
url: http://www.microsoft.com/technet/security/bulletin/ms10-050.mspx
bugtraq: 42268

Affected Products:

Microsoft windows_movie_maker 2.1.4027.0
Microsoft windows_vista_december_ctp SP1
Microsoft windows_vista Business SP2
Microsoft windows_vista_business_64-bit_edition SP2
Microsoft windows_vista_enterprise_64-bit_edition SP2
Microsoft windows_vista Enterprise SP2
Microsoft windows_vista_home_basic_64-bit_edition SP2
Microsoft windows_vista Home Basic SP2
Microsoft windows_vista_home_premium_64-bit_edition SP2
Microsoft windows_vista Home Premium SP2
Microsoft windows_vista SP2
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_vista Ultimate SP2
Microsoft windows_vista_x64_edition SP2
Microsoft windows_vista_december_ctp SP2
Microsoft windows_xp_embedded SP3
Microsoft windows_vista_x64_edition SP1
Microsoft windows_vista SP1
Microsoft windows_movie_maker 2.1
Microsoft windows_movie_maker 6.0
Microsoft windows_movie_maker 2.6
Microsoft windows_xp_tablet_pc_edition SP3
Microsoft windows_xp_professional_x64_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_vista Business SP1
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_xp_professional_x64_edition SP2

SMTP:SQWEBMAIL-EMAIL-HEADER-INJ - SMTP: SqWebMail Email Header HTML Injection

Severity: MEDIUM

Description:

This signature detects SMTP messages containing HTML code in SqWebmail. Attackers can send maliciously crafted SMTP messages to execute arbitrary HTML code at the same privilege level as the target.

Supported On:

References:

bugtraq: 10588
cve: CVE-2004-0591

Affected Products:

Inter7 sqwebmail 4.0.4 .20040524

SMTP:MICROSOFT-GDI-TIFF-RCE - SMTP: Multiple Microsoft Products TIFF Image Parsing Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against multiple Microsoft products. The issue is due to incorrect parsing of certain TIFF image files by Microsoft Graphics Component module GDI+. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.110090709, idp-4.0.110090831, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, vsrx3bsd-18.2, srx-18.2, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, idp-5.0.110121210, srx-branch-19.1, vsrx-15.1, idp-4.1.110110609

References:

cve: CVE-2013-3906

Affected Products:

Microsoft office 2007 (sp3)
Microsoft lync 2010 (:attendee)
Microsoft lync_basic 2013 (-:x64)
Microsoft windows_server_2008 (sp2:x64)
Microsoft lync_basic 2013 (-:x86)
Microsoft office 2003 (sp3)
Microsoft lync 2010 (:x86)
Microsoft windows_server_2008 (sp2:itanium)
Microsoft windows_server_2008 (sp2:x86)
Microsoft lync 2013 (-:x64)
Microsoft office 2010 (sp1:x64)
Microsoft lync 2010 (:x64)
Microsoft lync 2013 (-:x86)
Microsoft windows_vista (sp2:x64)
Microsoft office 2010 (sp1:x86)
Microsoft office 2010 (sp2:x86)
Microsoft office 2010 (sp2:x64)

HTTP:MISC:MUTI-PROD-COMND-EXEC - HTTP: Multiple Products Command Execution

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Products. A successful exploit can lead to remote command execution.

Supported On:

HTTP:STC:DL:XLS-NULL-PTR - HTTP: Microsoft Excel Null Pointer Exploit

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Excel file format. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 15926
bugtraq: 15780
cve: CVE-2005-4131
cve: CVE-2006-0009
cve: CVE-2006-0028
cve: CVE-2006-0031
cve: CVE-2006-1301
cve: CVE-2006-1306
cve: CVE-2006-3086
cve: CVE-2006-3431
cve: CVE-2006-3875
bugtraq: 18422
cve: CVE-2006-3059
cve: CVE-2006-1308
cve: CVE-2006-0030
cve: CVE-2009-0559
bugtraq: 18583
cve: CVE-2006-3014

Affected Products:

Microsoft excel_2000 SP3
Microsoft excel_2004_for_mac
Microsoft excel_x_for_mac
Microsoft excel_2000 SR1
Microsoft excel_2000 SP2
Microsoft excel_2002 SP1
Microsoft excel_2002 SP2
Microsoft office_excel_viewer_2003
Nortel_networks optivity_telephony_manager_(otm)
Nortel_networks ip_softphone_2050
Microsoft excel_95
Microsoft excel_97
Avaya modular_messaging_(mas) 3.0.0
Microsoft excel_2003 SP1
Microsoft excel_v.x
Nortel_networks enterprise_network_management_system
Microsoft excel_2002
Microsoft excel_2001_for_mac
Microsoft excel_2003
Nortel_networks mcs_5100 3.0.0
Nortel_networks mcs_5200 3.0.0
Microsoft excel_2002 SP3
Microsoft excel_98_for_mac
Microsoft excel_2000
Microsoft excel_97 SR2
Microsoft excel_97 SR1

HTTP:NEUTRINO-FLASH - HTTP: Neutrino Flash Exploit

Severity: HIGH

Description:

This signature attempts to detect Neutrino Flash Exploit.

Supported On:

HTTP:APACHE:STRUTS-URI-CMDEXEC - HTTP: Apache Struts 2 Multiple URI Parameters Remote Command Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Apache Struts 2. It is due to insufficient validation of user-supplied input. A successful attack can lead to arbitrary command execution.

Supported On:

References:

bugtraq: 61189
cve: CVE-2013-2251
url: http://struts.apache.org/release/2.3.x/docs/s2-016.html

Affected Products:

Apache struts 2.3.14.1
Apache struts 2.0.3
Apache struts 2.3.7
Apache struts 2.3.14.2
Apache struts 2.0.11.1
Apache struts 2.0.2
Apache struts 2.3.4
Apache struts 2.0.11
Apache struts 2.3.14.3
Apache struts 2.3.1.1
Apache struts 2.1.0
Apache struts 2.0.10
Apache struts 2.3.4.1
Apache struts 2.3.12
Apache struts 2.1.1
Apache struts 2.0.13
Apache struts 2.1.2
Apache struts 2.0.12
Apache struts 2.3.14
Apache struts 2.1.3
Apache struts 2.3.8
Apache struts 2.3.15
Apache struts 2.1.4
Apache struts 2.2.3.1
Apache struts 2.1.5
Apache struts 2.3.1.2
Apache struts 2.1.6
Apache struts 2.0.9
Apache struts 2.0.8
Apache struts 2.0.4
Apache struts 2.1.8
Apache struts 2.1.8.1
Apache struts 2.2.1.1
Apache struts 2.0.5
Apache struts 2.0.11.2
Apache struts 2.2.3
Apache struts 2.0.7
Apache struts 2.3.3
Apache struts 2.0.6
Apache struts 2.2.1
Apache struts 2.0.1
Apache struts 2.3.1
Apache struts 2.0.14
Apache struts 2.0.0

HTTP:PHP:XML-HEAP-MEM-CORR - HTTP: PHP xml_parse_into_struct Heap Memory Corruption

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against xml_parse_into_struct() function in PHP. A successful attack can lead to arbitrary code execution.

Supported On:

References:

bugtraq: 61128
cve: CVE-2013-4113

Affected Products:

Php php 5.3.20
Php php 5.3.0
Php php 5.3.1
Php php 5.3.18
Php php 5.3.19
Php php 5.3.16
Php php 5.3.17
Php php 5.3.14
Php php 5.3.15
Php php 5.3.25
Php php 5.3.8
Php php 5.3.12
Php php 5.3.24
Php php 5.3.9
Php php 5.3.13
Php php 5.3.23
Php php 5.3.6
Php php 5.3.10
Php php 5.3.22
Php php 5.3.7
Php php 5.3.11
Php php 5.3.21
Php php 5.3.4
Php php up to 5.3.26
Php php 5.3.5
Php php 5.3.2
Php php 5.3.3

HTTP:STC:DL:REAL-SWF-BOF - HTTP: RealPlayer SWF Flash File Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in RealNetworks RealPlayer. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, isg-3.5.141818, j-series-9.5, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 17202
cve: CVE-2006-0323
cve: CVE-2009-1869

Affected Products:

Real_networks realone_player_for_osx 9.0.0 .297
Suse linux_personal 9.3.0
Suse linux_personal 9.2.0 X86 64
Real_networks realplayer_enterprise
Turbolinux turbolinux FUJI
Real_networks realone_player 1.0.0
Real_networks realplayer 10.0.0
Real_networks realone_player_for_osx 9.0.0 .288
Real_networks helix_player_for_linux 10.0.1
Real_networks helix_player_for_linux 10.0.2
Suse linux_personal 9.2.0
Suse linux_professional 9.2.0
Suse linux_professional 9.3.0
Suse linux_professional 9.3.0 X86 64
Suse linux_professional 9.2.0 X86 64
Real_networks rhapsody 3.0.0 Build 0.815
Real_networks helix_player_for_linux 10.0.4
Real_networks helix_player_for_linux 10.0.5
Real_networks realplayer_10_for_linux 10.0.5
Real_networks realplayer 10.5.0 V6.0.12.1056
Real_networks realplayer 10.5.0 V6.0.12.1053
Real_networks realplayer 10.5.0 V6.0.12.1040
Real_networks realplayer_10_for_mac_os
Real_networks realplayer_10_for_linux
Suse linux_professional 10.0.0 OSS
Suse linux_personal 10.0.0 OSS
Real_networks realplayer 10.5.0 V6.0.12.1348
Real_networks rhapsody 3.0.0 Build 1.0.269
Real_networks realone_player_for_mac
Real_networks realplayer_10_for_linux 10.0.1
Real_networks helix_player_for_linux 10.0.6
Real_networks helix_player_for_linux 10.0.0
Real_networks realplayer 10.5.0 V6.0.12.1069
Suse novell_linux_desktop 9.0.0
Real_networks helix_player_for_linux 10.0.3
Real_networks realplayer 10.5.0 V6.0.12.1059
Real_networks realplayer_10_for_mac_os 10.0.0 .0.331
Real_networks realplayer_10_for_mac_os 10.0.0.305
Real_networks realplayer_10_for_linux 10.0.4
Gentoo linux
Real_networks realplayer_10_for_linux 10.0.2
Real_networks realplayer_10_for_linux 10.0.3
Real_networks realplayer_10_for_linux 10.0.6
Suse linux_personal 9.3.0 X86 64
Real_networks realplayer 10.5.0 V6.0.12.1235
Real_networks realplayer 8.0.0 Win32
Real_networks realone_player 2.0.0

HTTP:STC:DL:MAL-HLP-CHM - HTTP: Malformed Microsoft HLP/CHM File

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft Help file format. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

References:

bugtraq: 17325
bugtraq: 17926
cve: CVE-2006-1591
cve: CVE-2006-2297

Affected Products:

Microsoft windows_xp_media_center_edition SP2
Microsoft windows_xp_home
Microsoft windows_2000_datacenter_server
Microsoft windows_2000_professional SP3
Microsoft windows_2000_server SP3
Microsoft windows_2000_advanced_server SP3
Microsoft windows_2000_datacenter_server SP3
Microsoft windows_nt_server 4.0 SP5
Microsoft windows_nt_server 4.0 SP4
Microsoft windows_2000_datacenter_server SP1
Microsoft windows_nt_server 4.0 SP6
Microsoft windows_nt_server 4.0
Microsoft windows_nt_enterprise_server 4.0
Microsoft windows_2000_professional
Microsoft windows_2000_server SP1
Microsoft windows_2000_professional SP1
Microsoft windows_2000_advanced_server SP1
Microsoft windows_2000_advanced_server SP4
Microsoft windows_2000_datacenter_server SP4
Microsoft windows_2000_professional SP4
Microsoft windows_2000_server SP4
Microsoft windows_2000_advanced_server SP2
Microsoft windows_2000_datacenter_server SP2
Microsoft windows_xp_media_center_edition
Microsoft windows_xp_tablet_pc_edition
Microsoft windows_2000_server SP2
Microsoft windows_2000_professional SP2
Microsoft windows_nt_enterprise_server 4.0 SP2
Microsoft windows_server_2003_standard_edition
Microsoft windows_2000_advanced_server
Microsoft windows_nt_terminal_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP1
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_nt_enterprise_server 4.0 SP4
Microsoft windows_nt_enterprise_server 4.0 SP3
Microsoft windows_nt_enterprise_server 4.0 SP5
Microsoft windows_nt_enterprise_server 4.0 SP6
Microsoft windows_nt_enterprise_server 4.0 SP6a
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_nt_server 4.0 SP2
Microsoft windows_nt_server 4.0 SP3
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_nt_server 4.0 SP6a
Microsoft windows_nt_terminal_server 4.0 SP1
Microsoft windows_nt_terminal_server 4.0 SP2
Microsoft windows_nt_terminal_server 4.0 SP4
Microsoft windows_nt_terminal_server 4.0 SP5
Microsoft windows_nt_terminal_server 4.0 SP6
Microsoft windows_nt_terminal_server 4.0 SP6a
Microsoft windows_nt_workstation 4.0 SP1
Microsoft windows_nt_workstation 4.0 SP2
Microsoft windows_nt_workstation 4.0 SP3
Microsoft windows_xp_professional
Microsoft windows_nt_workstation 4.0 SP5
Microsoft windows_nt_workstation 4.0 SP6
Microsoft windows_nt_workstation 4.0 SP6a
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_nt_terminal_server 4.0
Microsoft windows_nt_workstation 4.0 SP4
Microsoft windows_nt_workstation 4.0
Microsoft windows_nt_server 4.0 SP1
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_tablet_pc_edition SP1
Microsoft windows_xp_tablet_pc_edition SP2
Microsoft windows_xp_media_center_edition SP1

HTTP:CGI:WEB-SERVER-CGI-RCE - HTTP: EmbedThis GoAhead Web Server Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against EmbedThis GoAhead Web Server. A successful attack can lead to arbitrary code execution under the security context of the server process

Supported On:

References:

Affected Products:

Embedthis goahead 3.3.4
Embedthis goahead 3.3.1
Embedthis goahead 3.4.0
Embedthis goahead 3.3.5
Embedthis goahead 3.0.0
Embedthis goahead 3.3.2
Embedthis goahead 3.3.6
Embedthis goahead 3.3.3

HTTP:COLDFUSION:XML-CMD-INJ - HTTP: Adobe ColdFusion/BlazeDS/LiveCycle XML Command Injection

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in several Adobe server technologies. A successful attack may result in data exposure and/or arbitrary command injection.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1

References:

Affected Products:

Adobe blazeds 3.2
Adobe livecycle 9.0
Adobe livecycle 8.2.1
Adobe livecycle 8.0.1
Adobe livecycle_data_services 3.0
Adobe livecycle_data_services 2.6.1
Adobe livecycle_data_services 2.5.1
Adobe flex_data_services 2.0.1
Adobe coldfusion 9.0
Adobe coldfusion 8.0.1
Adobe coldfusion 7.0.2
Adobe coldfusion 8.0

HTTP:MISC:MULTIPLE-PRODCT-CSRF - HTTP: Multiple Products Cross-Site Request Forgery 2

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Multiple Products. A successful attack can lead to cross-site request forgery attacks.

Supported On:

HTTP:STC:DL:PPT-FF-BOF - HTTP: PowerPoint File Multiples Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Microsoft PowerPoint file format. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the client.

Supported On:

References:

bugtraq: 18993
bugtraq: 19229
cve: CVE-2006-3656
bugtraq: 20226
cve: CVE-2006-3876
cve: CVE-2006-4694
cve: CVE-2009-1137
cve: CVE-2009-0220
cve: CVE-2009-0221
cve: CVE-2009-0223
cve: CVE-2009-1129

Affected Products:

Microsoft powerpoint_2003 SP1
Microsoft powerpoint_2003 SP2
Microsoft powerpoint_2003

SMB:EXPLOIT:PRINT-SPOOL-BYPASS - SMB: Windows Print Spooler Authentication Bypass

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability against Windows Print Spooler. A successful attack allows attackers to bypass security measures and execute arbitrary remote code.

Supported On:

References:

cve: CVE-2010-2729
bugtraq: 43073
url: http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

Affected Products:

Microsoft windows_xp_home
Microsoft windows_7_for_x64-based_systems
Microsoft windows_7_for_itanium-based_systems
Microsoft windows_7_for_32-bit_systems
Microsoft windows_vista Business SP2
Microsoft windows_vista_business_64-bit_edition SP2
Microsoft windows_vista_enterprise_64-bit_edition SP2
Microsoft windows_vista Enterprise SP2
Microsoft windows_vista_home_basic_64-bit_edition SP2
Microsoft windows_vista Home Basic SP2
Microsoft windows_vista_home_premium_64-bit_edition SP2
Microsoft windows_vista Home Premium SP2
Microsoft windows_vista SP2
Microsoft windows_vista_ultimate_64-bit_edition SP2
Microsoft windows_vista Ultimate SP2
Microsoft windows_vista_x64_edition SP2
Microsoft windows_server_2008_for_32-bit_systems SP2
Microsoft windows_server_2008_for_itanium-based_systems SP2
Microsoft windows_server_2008_for_x64-based_systems SP2
Microsoft windows_server_2003_x64 SP2
Microsoft windows_vista_x64_edition SP1
Microsoft windows_vista Business SP1
Microsoft windows_vista Home Basic SP1
Microsoft windows_vista Home Premium SP1
Microsoft windows_vista Enterprise SP1
Microsoft windows_vista Ultimate SP1
Microsoft windows_vista_business_64-bit_edition SP1
Microsoft windows_vista_enterprise_64-bit_edition SP1
Microsoft windows_vista_home_basic_64-bit_edition SP1
Microsoft windows_vista_home_premium_64-bit_edition SP1
Microsoft windows_vista_ultimate_64-bit_edition SP1
Microsoft windows_server_2003_x64 SP1
Avaya aura_conferencing 6.0 Standard
Microsoft windows_vista_x64_edition
Microsoft windows_server_2003_web_edition SP2
Microsoft windows_xp_professional_x64_edition SP2
Microsoft windows_server_2003_itanium
Microsoft windows_server_2003_itanium SP1
Microsoft windows_server_2003_itanium SP2
Microsoft windows_server_2003_datacenter_x64_edition SP2
Microsoft windows_server_2003_enterprise_x64_edition SP2
Microsoft windows_server_2003_standard_edition SP2
Avaya messaging_application_server
Avaya messaging_application_server MM 3.0
Avaya messaging_application_server MM 3.1
Microsoft windows_xp_media_center_edition
Avaya messaging_application_server MM 1.1
Microsoft windows_xp_64-bit_edition
Microsoft windows_xp_home SP1
Microsoft windows_xp_professional SP1
Microsoft windows_xp_professional_x64_edition SP3
Microsoft windows_xp_professional SP3
Microsoft windows_xp_media_center_edition SP3
Microsoft windows_xp_home SP3
Microsoft windows_server_2003_datacenter_edition SP1
Microsoft windows_server_2003_datacenter_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition_itanium SP1
Microsoft windows_server_2003_enterprise_edition SP1
Microsoft windows_server_2003_standard_edition SP1
Microsoft windows_server_2003_web_edition SP1
Microsoft windows_server_2003_enterprise_edition
Microsoft windows_server_2003_datacenter_edition
Microsoft windows_server_2003_web_edition
Microsoft windows_server_2003_enterprise_edition_itanium
Microsoft windows_server_2003_datacenter_edition_itanium
Microsoft windows_xp_64-bit_edition SP1
Microsoft windows_server_2008_for_x64-based_systems R2
Microsoft windows_server_2008_for_itanium-based_systems R2
Avaya meeting_exchange-client_registration_server
Avaya meeting_exchange-recording_server
Avaya meeting_exchange-streaming_server
Avaya meeting_exchange-web_conferencing_server
Avaya meeting_exchange-webportal
Microsoft windows_server_2003 SP1
Microsoft windows_server_2003 SP2
Avaya messaging_application_server MM 2.0
Microsoft windows_xp_home SP2
Microsoft windows_xp_professional SP2
Microsoft windows_xp_media_center_edition SP1
Microsoft windows_xp_media_center_edition SP2
Microsoft windows_vista 1.0
Microsoft windows_vista SP1
Microsoft windows_vista Ultimate
Microsoft windows_vista Home Premium
Microsoft windows_vista Home Basic
Microsoft windows_vista Business
Microsoft windows_vista Enterprise
Microsoft windows_server_2003_standard_edition
Avaya callpilot_unified_messaging
Microsoft windows_xp
Avaya messaging_application_server 4
Avaya messaging_application_server 5
Microsoft windows_server_2003_standard_x64_edition
Microsoft windows_server_2003_enterprise_x64_edition
Microsoft windows_server_2003_datacenter_x64_edition
Microsoft windows_xp_professional_x64_edition
Microsoft windows_vista_business_64-bit_edition
Microsoft windows_vista_enterprise_64-bit_edition
Microsoft windows_vista_home_basic_64-bit_edition
Microsoft windows_vista_home_premium_64-bit_edition
Microsoft windows_vista_ultimate_64-bit_edition
Microsoft windows_server_2008_for_32-bit_systems
Microsoft windows_server_2008_for_x64-based_systems
Microsoft windows_server_2008_for_itanium-based_systems
Microsoft windows_xp

HTTP:PHP:PHP-QUOT-PRINT-ENCODE - HTTP: PHP php_quot_print_encode Heap Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the php_quot_print_encode() function in PHP. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the server.

Supported On:

idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, vsrx3bsd-18.2, isg-3.5.0, srx-19.1, vsrx3bsd-19.1, vsrx-19.1, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, srx-branch-19.1, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, srx-18.2, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1

References:

bugtraq: 60411
cve: CVE-2013-2110

Affected Products:

Php php 4.4.0
Php php 5.4.6
Php php 3.0.10
Php php 4.0 (beta1)
Php php 5.0.0 (rc2)
Php php 4.4.2
Php php 4.1.0
Php php 3.0.12
Php php 4.4.4
Php php 4.1.2
Php php 3.0.14
Php php 4.3.8
Php php 5.4.15
Php php 3.0.16
Php php 3.0.9
Php php 5.3.17
Php php 5.4.13
Php php 3.0.18
Php php 5.0.0 (beta3)
Php php 5.0.2
Php php 4.2.3
Php php 5.3.8
Php php 5.4.8
Php php 4.4.1
Php php 4.1.1
Php php 4.2.1
Php php 5.3.6
Php php 5.3.11
Php php 5.3.4
Php php 5.3.2
Php php 4.0.1
Php php 5.4.0
Php php 5.2.15
Php php 5.3.0
Php php 4.0.3
Php php 5.2.17
Php php 3.0
Php php 4.0.5
Php php 5.3.19
Php php 5.2.11
Php php 4.0.7
Php php 2.0b10
Php php 5.2.2
Php php 5.2.13
Php php 4.3.6
Php php 5.2.0
Php php 4.3.10
Php php 4.3.7
Php php 5.2.6
Php php 5.3.24
Php php 4.3.5
Php php 5.0.0 (beta2)
Php php 5.4.2
Php php 4.4.9
Php php 3.0.6
Php php 5.3.22
Php php 4.3.3
Php php 4.0 (beta_4_patch1)
Php php 3.0.4
Php php 5.3.20
Php php 4.3.1
Php php 4.0 (beta2)
Php php 5.1.2
Php php 5.2.8
Php php 4.0 (beta3)
Php php 5.1.5
Php php 5.4.5
Php php 5.2.4
Php php 5.0.0 (rc3)
Php php 3.0.2
Php php 4.4.7
Php php 5.4.7
Php php 3.0.11
Php php 5.0.0 (beta1)
Php php 3.0.17
Php php 5.1.1
Php php 5.4.1
Php php 3.0.13
Php php 4.4.3
Php php 5.4.3
Php php 3.0.15
Php php 4.3.9
Php php 5.0.0 (beta4)
Php php 5.0.1
Php php 5.0.0 (rc1)
Php php 5.3.16
Php php 5.3.13
Php php 5.4.14
Php php 3.0.8
Php php 5.3.14
Php php 4.2.2
Php php 5.4.12
Php php 5.4.9
Php php 5.0.5
Php php 4.2.0
Php php 5.4.10
Php php 5.3.10
Php php 5.3.7
Php php 5.3.5
Php php 5.2.9
Php php 4.0.0
Php php 5.3.3
Php php 4.0.2
Php php 5.0.3
Php php 5.1.3
Php php 5.2.14
Php php 5.3.1
Php php 4.0.4
Php php 5.3.18
Php php 5.2.16
Php php 4.0.6
Php php 5.2.3
Php php 5.2.10
Php php 4.4.5
Php php 2.0
Php php 4.3.0
Php php 5.3.15
Php php 5.2.1
Php php 4.3.11
Php php 5.2.12
Php php 5.1.0
Php php 5.2.7
Php php 5.4.11
Php php 5.2.5
Php php 4.4.8
Php php 5.1.6
Php php 3.0.7
Php php 4.0 (beta4)
Php php 5.3.12
Php php 5.3.23
Php php 4.3.4
Php php 3.0.5
Php php 5.3.21
Php php 4.3.2
Php php up to 5.3.25
Php php 5.1.4
Php php 3.0.3
Php php 5.3.9
Php php 1.0
Php php 4.4.6
Php php 5.4.4
Php php 3.0.1
Php php 5.0.4

HTTP:STC:CVE-2018-6794 - HTTP: Suricata TCP Handshake Content Detection Bypass

Severity: MEDIUM

Description:

This signature detects attempts to exploit a known vulnerability against Suricata IDS/IPS. Successful exploitation could result in a bypass of security policies.

Supported On:

References:

url: https://redmine.openinfosecfoundation.org/issues/2427
url: https://github.com/kirillwow/ids_bypass
cve: CVE-2018-6794

HTTP:MISC:NGINX-CHUNK-TRANS-DOS - HTTP: Nginx Chunked Transfer Parsing Denial of Service

Severity: HIGH

Description:

This signature detects attempts to exploit a known flaw in Nginx. A successful attack can result in a denial-of-service condition.

Supported On:

References:

cve: CVE-2013-2070

Affected Products:

Igor_sysoev nginx 1.2.7
Igor_sysoev nginx 1.1.9
Igor_sysoev nginx 1.3.16
Igor_sysoev nginx 1.2.8
Igor_sysoev nginx 1.1.8
Igor_sysoev nginx 1.4.0
Igor_sysoev nginx 1.3.11
Igor_sysoev nginx 1.3.2
Igor_sysoev nginx 1.2.4
Igor_sysoev nginx 1.2.1
Igor_sysoev nginx 1.1.19
Igor_sysoev nginx 1.1.7
Igor_sysoev nginx 1.1.18
Igor_sysoev nginx 1.3.9
Igor_sysoev nginx 1.1.6
Igor_sysoev nginx 1.1.17
Igor_sysoev nginx 1.3.8
Igor_sysoev nginx 1.1.16
Igor_sysoev nginx 1.1.4
Igor_sysoev nginx 1.1.15
Igor_sysoev nginx 1.2.5
Igor_sysoev nginx 1.2.2
Igor_sysoev nginx 1.3.13
Igor_sysoev nginx 1.1.13
Igor_sysoev nginx 1.1.12
Igor_sysoev nginx 1.2.0
Igor_sysoev nginx 1.3.12
Igor_sysoev nginx 1.1.11
Igor_sysoev nginx 1.3.4
Igor_sysoev nginx 1.1.10
Igor_sysoev nginx 1.3.7
Igor_sysoev nginx 1.2.3
Igor_sysoev nginx 1.2.6
Igor_sysoev nginx 1.3.6
Igor_sysoev nginx 1.3.5
Igor_sysoev nginx 1.3.1
Igor_sysoev nginx 1.3.15
Igor_sysoev nginx 1.3.0
Igor_sysoev nginx 1.3.14
Igor_sysoev nginx 1.3.3
Igor_sysoev nginx 1.3.10

HTTP:STC:DL:RTF-MISMATCH - HTTP: Microsoft Word RTF Mismatch Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Word. A successful attack can lead to arbitrary code execution.

Supported On:

idp-5.1.110161014, idp-4.1.110110719, idp-4.0.0, idp-4.0.110090709, isg-3.4.140032, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, srx-19.1, vsrx3bsd-18.2, isg-3.5.0, srx-18.2, isg-3.4.139899, vsrx-19.1, idp-5.0.110121210, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, mx-11.4, vsrx-12.1, j-series-9.5, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, srx-17.4, isg-3.5.141818, srx-branch-19.1, idp-5.1.110170603, vsrx3bsd-19.1, vsrx-15.1, idp-4.1.110110609

References:

bugtraq: 53344
cve: CVE-2012-0183

Affected Products:

Microsoft office_compatibility_pack SP2
Microsoft word_2007 SP2
Microsoft word_2007 SP1
Microsoft office_2008_for_mac
Microsoft office_compatibility_pack SP3
Microsoft word_2007
Microsoft word_2003 SP1
Microsoft word_2003 SP2
Microsoft office_2011_for_mac
Microsoft word_2003 SP3
Microsoft word_2007 SP3

HTTP:STC:DL:VISIO-VSD-MEM - HTTP: Microsoft Visio VSD File Format Memory Corruption Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Microsoft Visio. A successful attack can lead to arbitrary code execution.