Changed:
false
positives
Suggested change to avoid false
positives:
Rule
Change to:
alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"sql injection attempt in
WEB-PHP viewtopic.php access"; flow:to_server,established;
uricontent:"viewtopic.php"; content:"_sql_";
reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767;
classtype:web-application-attack; sid:2229;
rev:4;)
GEN:SID
1:2229
Message
WEB-PHP viewtopic.php
access
Rule
alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access";
flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979;
reference:cve,2003-0486; reference:nessus,11767;
classtype:web-application-attack; sid:2229;
rev:4;)
Summary
This event is generated when an attempt
is made to exploit a known
vulnerability in the PHP application
phpBB.
Impact
Information disclosure possibly leading to
serious system compromise.
Detailed Information
Some versions
of phpBB Group phpBB suffer from a vulnerability that
allows an attacker to
inject SQL queries of their choosing.
This can result in the disclosure
of passwords and other information
stored in the database. The data contained
in the database may also be
corrupted by a malicious SQL
query.
Affected Systems
phpBB Group phpBB 2.0.4,
2.0.5
Attack Scenarios
The attacker can execute one of the
publicly available exploit scripts.
Ease of Attack
Simple.
Exploit code exists.
False Positives
Every valid
request
False Negatives None known.
If you think this
rule has a false negatives, please help fill it out.
Corrective
Action
Upgrade to the latest non-affected version of the
software.
Contributors Sourcefire Research Team
Brian Caswell
<bmc@xxxxxxxxxxxxxx>
Nigel Houghton
<nigel.houghton@xxxxxxxxxxxxxx>
Additional
References
Rule References bugtraq: 7979
cve:
2003-0486
nessus: 11767
HTH, Rainer
