Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 943

HTTP:PHP:POPPER-OPEN-ADMIN
HTTP:PHP:REDHAT-PIRANHA-PASSWD
HTTP:PHP:SILENT-STORM-ADMIN
HTTP:PHP:UPLOAD-LOCATION
HTTP:PHP:VBULL-CAL-EXEC
HTTP:PHP:WOLTAB-SQL-INJ
HTTP:PHP:YABBSE-PKG-EXEC
HTTP:PHP:YABBSE-SSI-INCLUDE
HTTP:PHP:ZENTRACK-CMD-EXEC
Copyright © 2010, Juniper Networks, Inc.
This signature detects attempts to exploit a vulnerability in
popper_mod 1.2.1, a Web-based PHP POP3 e-mail client
based on Qpopper. Popper_mod relies on htaccess
authentication to authenticate administrators; if htaccess
is not used to protect administrator access, popper_mod
does not authenticate administrators. Attackers may browse
to the /mail/administrator directory to access the
administration PHP script and view a complete list of user
accounts and passwords, delete accounts, modify accounts,
and edit settings.
This signature detects attempts to exploit the vulnerable
passwd.php3 cgi-bin script in the Piranha virtual server
package (RedHat Linux 6.2). Because the script does not
validate input properly, attackers may authenticate to the
Piranha package with the effective ID of the Web server and
execute arbitrary commands.
This signature detects attempts to raise the privileges on an
account for the Silent Storm PHP Portal.
This signature detects a maliciously crafted HTTP POST
request. Attackers may use a directory traversal attack within
the Content-Disposition field of a POST request to force
PHP to execute arbitrary code.
This signature detects attempts to exploit a vulnerability in
the calender.php script that is included with the VBulletin
package. Attackers may run the vbull.c exploit to execute
arbitrary commands with Web Server user permissions.
Any user on the bulletin board can compromise any other
user's account by exploiting a vulnerability in board.php.
Board.php does not perform proper input validation, and
therefore is subject to executing user-supplied SQL
statements. This is known to affect Woltlab Burning Board
2.0 RC 1 and earlier versions.
This signature detects attempts to exploit a vulnerability in
Packages.php in YabbSE. YabbSE 1.5.0 and earlier are
vulnerable. Attackers may include remote malicious code
in Packages.php to include remote malicious code to execute
arbitrary commands with Web server privileges.
This signature detects attempts to exploit a vulnerability in
YabbSE, a PHP/MySQL port of the forum software YaBB
(yet another bulletin board). YabbSE versions 1.5.2 and earlier
are vulnerable. Attackers may include PHP code in a
maliciously crafted URL request; when YabbSE receives the
request it runs the PHP code, enabling the attacker to
execute arbitrary commands on the server.
This signature detects attacks against the PHP-based
zenTrack CRM system. A vulnerability exists in the
header.php that holds zenTrack configuration settings. It
allows remote command execution as the webserver process
privilege. This applies to zenTrack 2.4.1 and below.
Appendix E: Log Entries
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
low sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
893