Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP PHP .phar cross site scripting attempt

Rule Explanation

This event is generated when a cross site scripting attempt against PHP .phar pages is detected Impact: Attempted User Privilege Gain Details: PHP is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Ease of Attack: Simple, A proof of concept exploit exists.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE Additional Information

CVE-2018-10547
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
Details
Severity Base Score6.1
Impact Score2.7 Exploit Score2.8
Confidentiality ImpactLOW Integrity ImpactLOW
Availability ImpactNONE Access Vector
Authentication Ease of Access
CVE-2018-5712
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
Details
Severity Base Score6.1
Impact Score2.7 Exploit Score2.8
Confidentiality ImpactLOW Integrity ImpactLOW
Availability ImpactNONE Access Vector
Authentication Ease of Access