Rule History

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49103.request; http.stat_code; content:"200"; http.response_body; content:"phpinfo|28 29|"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:successful-recon-limited; sid:2049615; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49103, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)