SID 1:24339

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Multiple products XML external entity parsing information disclosure attempt

Rule Explanation

This rule looks for XML files present in the HTTP client body that contain references to an external entity.

What To Look For

This rule fires on potential attempts to exploit XML external entity vulnerabilities.

Known Usage

No public information

False Positives

Known false positives, with the described conditions

This rule will fire on all HTTP requests with an HTTP client body containing XML files that reference an external entity.

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Server::Web Applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

MITRE::ATT&CK Framework::Enterprise::Reconnaissance::Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

CVE

CVE-2010-2076 CVE-2012-3363 CVE-2013-4152 CVE-2013-5014 CVE-2013-6447 CVE-2015-1818 CVE-2015-6662 CVE-2017-5644 CVE-2010-1632 CVE-2019-9670 CVE-2024-55875

Rule Vulnerability

Information Leak

Information Leakage happens when an attacker manipulates a system into revealing sensitive information, either through malformed input or by taking advantage of another feature of the system.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2010-2076

Loading description

CVE-2012-3363

Loading description

CVE-2013-4152

Loading description

CVE-2013-5014

Loading description

CVE-2013-6447

Loading description

CVE-2015-1818

Loading description

CVE-2015-6662

Loading description

CVE-2017-5644

Loading description

CVE-2010-1632

Loading description

CVE-2019-9670

Loading description

CVE-2024-55875

Loading description