alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade.php"; nocase; fast_pattern; http.header; content:"Origin|3a|"; http.request_body; content:"&customerid="; nocase; content:"&htmlsubmit="; content:"username"; nocase; content:"confirmpassword"; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:4; metadata:created_at 2013_10_10, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_21;)