""ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)""

SID: 2047056

Revision: 1

Class Type: attempted-admin

Metadata: affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_03, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "/chamilo/main/webservices/additional_webservices.php"

  • Value: "|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|"

  • Value: "|60 2e|ppt"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • fast_pattern

  • http_client_body

  • http_client_body

source